Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

System32 Infection [RESOLVED]


  • This topic is locked This topic is locked

#1
Wicked Web

Wicked Web

    New Member

  • Member
  • Pip
  • 9 posts
Well it seems I got hooked up with a good one.. I did some research on it and everybodies removal instructions seem to be specific to them. So I figured it would be smart to open my own thread. Thank anyone and everyone in advance for this site and any help.

I have used the tool provided here and cleared Firefox cache and things that can be checked. All except for cookies because I was afraid if this thing is monitoring me then I would have to retype my password to get back into the forum.. Deleting cookies would have logged me out. As well the very instant I suspected the virus I cleared all private data in my browser. My Avast Home Edition Anti Virus appears to have deleted a number of infected files but when I start back up and do a scan avast says that there may be an infection in my memory and that I should do a boot scan.. So I do the boot scan and it always finds the same files each time and says that it deletes them.. Then on start up the process just repeats with avast saying "Suspicious File Found" C:\WINDOWS\system32\Drivers\clbdriver.sys

If I click to delete now it is unsuccessful in doing so saying that the object could not be found. I started getting two pop up tabs everytime upon opening up Firefox which was a jewelry site and a page load error tab. My anti virus deleted some files and I no longer get those.. Now I am starting to get my first adult site pop up.

I am Running Windows XP Home Edition.

Here is my Hijack This log. (Anti-Virus, Spyware Tools, Etc have been disabled to achieve this process of removal).

Here is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:21 PM, on 7/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Wicked Warriors toolbar - {f26b8e07-45f8-4f64-b0e2-c96d8b798ff3} - (no file)
O3 - Toolbar: (no name) - {0ed074cb-446c-429f-b5de-a69f62f80397} - (no file)
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [fc9bc55a] rundll32.exe "C:\WINDOWS\system32\xovgeyya.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker copy\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.di...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8537 bytes

I have already downloaded Combo Fix and FindAWF.exe if necessary to expedite this process..

My sincere thanks to you who take out personal time in your lives of work, family, and responsibilities to help me and others out..
  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

And,

Delete your copy of ComboFix, it is constantly updated and we want to use the latest one.


Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.

Post back with the logs please.
  • 0

#3
Wicked Web

Wicked Web

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok here is the information you requested in that order.

SDFix Log Here


SDFix: Version 1.205
Run by Owner on Sun 07/13/2008 at 02:57 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
clbdriver

Path :
\??\globalroot\systemroot\system32\drivers\clbdriver.sys

clbdriver - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\jkkJyWmn.dll - Deleted
C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\atmadm2.exe.bat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\dssc32.exe.bat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\removalfile.bat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\software.php.bat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 15:13:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\clbdriver]
"type"=dword:00000001
"start"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
"affid"="42"
"subid"="0"

scanning hidden files ...

C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll 110592 bytes executable
C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll 498688 bytes executable
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll 100864 bytes executable
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll 468480 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110592 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\dllcache\clb.dll 10752 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 10752 bytes executable
C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll.000 110080 bytes executable
C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll 498688 bytes executable
C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll.000 501248 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 17


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Owner\\Desktop\\TCClient.exe"="C:\\Documents and Settings\\Owner\\Desktop\\TCClient.exe:*:Enabled:TCClient"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\The Flash Ad Creator v2\\The Flash Ad Creator 2.exe"="C:\\Program Files\\The Flash Ad Creator v2\\The Flash Ad Creator 2.exe:*:Enabled:The Flash Ad Creator"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Tristana Writer RSS Editor\\TristanaWriter.exe"="C:\\Program Files\\Tristana Writer RSS Editor\\TristanaWriter.exe:*:Enabled:Tristana Writer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 31 Oct 2003 196 A.SHR --- "C:\BOOT.BAK"
Mon 10 Nov 2003 532 A.SH. --- "C:\MSSYS.SYS"
Wed 8 Sep 2004 18 A..H. --- "C:\WINDOWS\system32\ln32k.DLL"
Wed 28 Apr 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 22 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!


--Now here is the Combo Fix Log--


ComboFix 08-07-13.9 - Owner 2008-07-14 3:23:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.587 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\DDM
C:\Program Files\DDM\0\dir.ddm
C:\Program Files\DDM\0\fiz1
C:\WINDOWS\system32\ayyegvox.ini
C:\WINDOWS\system32\bhpejvhj.ini
C:\WINDOWS\system32\bvrecs.dll
C:\WINDOWS\system32\cbXOExUo.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\dnalaf.dll
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\fqcmvaju.dll
C:\WINDOWS\system32\geltjtdx.dll
C:\WINDOWS\system32\hhjwkysr.dll
C:\WINDOWS\system32\hvyusgjy.dll
C:\WINDOWS\system32\jPoWvyay.ini
C:\WINDOWS\system32\jPoWvyay.ini2
C:\WINDOWS\system32\lxirhyrt.ini
C:\WINDOWS\system32\mofftmxl.dll
C:\WINDOWS\system32\mtrquf.dll
C:\WINDOWS\system32\ujavmcqf.ini
C:\WINDOWS\system32\xovgeyya.dll
C:\WINDOWS\system32\ypkghx.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-13 14:46 . 2008-07-13 14:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-13 14:44 . 2003-04-10 07:05 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\WINDOWS
2008-07-13 14:44 . 2003-04-10 06:50 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\Symantec
2008-07-13 14:44 . 2003-04-10 06:49 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\Sonic
2008-07-13 14:44 . 2003-04-10 07:08 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\SampleView
2008-07-13 14:44 . 2003-04-10 06:58 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\InterTrust
2008-07-13 14:44 . 2003-04-10 06:53 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\interMute
2008-07-13 14:44 . 2008-07-13 14:44 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP
2008-07-13 14:41 . 2008-07-13 15:18 <DIR> d----c--- C:\SDFix
2008-07-12 23:23 . 2008-07-12 23:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 08:07 . 2002-08-29 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-11 07:54 . 2008-07-11 07:54 321,792 --a------ C:\WINDOWS\system32\yayvWoPj.dll
2008-07-05 02:35 . 2008-07-05 02:35 104,448 --a------ C:\WINDOWS\system32\ecFDI.dll
2008-07-05 02:35 . 2008-07-05 02:35 90,624 --a------ C:\WINDOWS\system32\ecFCI.dll
2008-07-05 02:35 . 2008-07-05 02:35 27,944 --a------ C:\WINDOWS\system32\EclipseCabinet.chm
2008-07-05 02:33 . 2008-07-05 02:33 15,220 --a------ C:\WINDOWS\EP2k.gif
2008-07-02 03:53 . 2008-07-02 03:53 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-07-02 03:51 . 2008-07-02 03:51 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-07-02 03:42 . 2008-07-02 03:42 <DIR> d-------- C:\Program Files\Source Snatcher Full
2008-06-26 14:43 . 2008-06-29 04:33 <DIR> d-------- C:\Program Files\Animated Logo Creator v1.5
2008-06-26 07:07 . 2008-01-30 16:36 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-06-25 07:35 . 2008-06-25 07:36 <DIR> d-------- C:\Program Files\Common Files\logishrd
2008-06-25 07:08 . 2008-06-25 07:08 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-25 07:08 . 2008-06-25 07:08 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-25 07:08 . 2008-06-25 07:08 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-25 06:40 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-06-25 06:40 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-06-25 06:40 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-06-25 06:40 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-06-25 06:40 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-06-25 06:40 . 2008-04-13 20:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-06-25 06:40 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-06-25 06:40 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-06-25 06:40 . 2008-04-13 20:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-06-25 06:40 . 2008-04-13 14:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-25 06:38 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-25 06:37 . 2008-04-13 20:11 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-06-25 06:37 . 2008-04-13 20:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-06-25 06:37 . 2008-04-13 20:11 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-06-25 05:35 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-25 05:35 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-25 05:35 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-25 05:35 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-25 05:35 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-25 05:35 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-25 05:35 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-25 05:35 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-25 05:35 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-24 06:06 . 2008-07-11 05:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-24 06:06 . 2008-06-24 06:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-24 06:06 . 2008-07-12 22:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 06:06 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-24 06:06 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-24 06:06 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-24 06:06 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-24 05:55 . 2008-06-24 05:55 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-24 05:35 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-24 05:34 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-20 13:46 . 2008-06-20 13:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 13:46 . 2008-06-20 13:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 07:51 . 2008-06-20 07:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 07:40 . 2008-06-20 07:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 07:08 . 2008-06-20 07:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-13 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-11 09:21 --------- d-----w C:\Program Files\The Logo Creator v5
2008-07-10 10:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-06 02:55 --------- d-----w C:\Program Files\The Flash Ad Creator v2.5
2008-07-02 07:54 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2008-06-26 19:40 558,101 ----a-w C:\Program Files\uninstal.log
2008-06-25 17:08 --------- d-----w C:\Program Files\Wicked Web Net
2008-06-25 11:38 --------- d-----w C:\Program Files\Logitech
2008-06-24 11:01 --------- d-----w C:\Program Files\Bodog Poker copy
2008-06-24 10:33 --------- d-----w C:\Program Files\PokerStars
2008-06-24 10:09 --------- d-----w C:\Program Files\Lavasoft
2008-06-24 10:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-06-24 09:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 09:55 --------- d-----w C:\Program Files\Common Files\Real
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msinfo.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2006-12-18 23:33 28,064 -c--a-w C:\Program Files\Uninstall2548.DAT
2006-12-18 23:33 13,826 -c--a-w C:\Program Files\UILANG2.UDB
2006-12-18 23:33 13,826 -c--a-w C:\Program Files\UILANG1.UDB
2006-01-06 02:00 3,345 ----a-w C:\Program Files\test.html
2005-08-27 22:26 1,581,056 ----a-w C:\Program Files\SAFlashPlayer.exe
2005-02-03 02:57 28,332 -c--a-w C:\Program Files\Uninstall92AD.DAT
2004-08-07 19:58 135,168 -c--a-w C:\Program Files\MJE.exe
2004-07-21 19:38 6,250 ----a-w C:\Program Files\MJE.html
2003-11-18 11:50 2,087 -c--a-w C:\Program Files\METAL WORSHIP
2003-11-06 03:45 101,250 -c--a-w C:\Program Files\Lite.pm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73863C3A-3D8B-4BE7-9B88-A822B3268A25}]
2008-07-11 07:54 321792 --a------ C:\WINDOWS\system32\yayvWoPj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 18:44 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 22:28 81920]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 20:11 114688]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 02:01 57344]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 21:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 19:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 19:14 217088]
"FLMOFFICE4DMOUSE"="C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe" [2007-02-26 22:15 360448]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"VTPreset"="VTPreset.exe" [2004-02-24 20:17 45056 C:\WINDOWS\system32\VTPreset.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34 5419008]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 23:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-11-03 19:23:39 124912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mxmc"= MimicICM.DLL
"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopSubtract.lnk]
backup=C:\WINDOWS\pss\PopSubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackWeb LiteInstaller
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebWatch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 18:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a--c--- 2002-12-10 22:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a--c--- 2002-12-10 22:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a--c--- 2002-07-17 21:00 200767 C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-12-08 15:56 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=2 (0x2)
"mnmsrvc"=3 (0x3)
"helpsvc"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"ImapiService"=3 (0x3)
"SENS"=2 (0x2)
"MDM"=2 (0x2)
"ERSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"SCardSvr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R2 SocketLock;Raw Socket Lock Driver;C:\WINDOWS\system32\socketlock.sys [2005-02-14 04:56]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 11:05]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2002-12-09 21:19]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2004-07-04 15:22:16 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-03-20 05:44:07 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{f26b8e07-45f8-4f64-b0e2-c96d8b798ff3} - (no file)
Toolbar-{0ed074cb-446c-429f-b5de-a69f62f80397} - (no file)
WebBrowser-{F26B8E07-45F8-4F64-B0E2-C96D8B798FF3} - (no file)
WebBrowser-{0ED074CB-446C-429F-B5DE-A69F62F80397} - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-fc9bc55a - C:\WINDOWS\system32\fqcmvaju.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 03:30:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-14 3:45:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-14 07:45:06

Pre-Run: 19,639,922,688 bytes free
Post-Run: 19,559,579,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

296 --- E O F --- 2008-07-09 08:51:55


--And then here is the HijackThis Log--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:53 AM, on 7/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {73863C3A-3D8B-4BE7-9B88-A822B3268A25} - C:\WINDOWS\system32\yayvWoPj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker copy\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.di...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8408 bytes



After the computer started back up to prepare the Combofix report a windows error box popped up and said that some .dll file was unable to run. It was just random letters I believe. I figured it to be normal so I did not write down the name of the file. Hope I did not assume wrong.. I am sure it will do it again the next time I restart. I followed your instructions in the previous post to a "T" the best I was able and did not purposely skip any steps or required reading..

Edited by Wicked Web, 14 July 2008 - 01:57 AM.

  • 0

#4
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

You have a backdoor trojan/password stealer on your computer, I recommend you change your passwords from another CLEAN computer immediately.

Did you install these programs?

Bodog Poker copy
PokerStars


If not uninstall them and delete these folders


C:\Program Files\Bodog Poker copy
C:\Program Files\PokerStars

Now,


Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
Collect::
C:\WINDOWS\system32\yayvWoPj.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73863C3A-3D8B-4BE7-9B88-A822B3268A25}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TrkWks"=-
"ERSvc"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Then,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Post back with the logs please.
  • 0

#5
Wicked Web

Wicked Web

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
After following those instructions here is the next ComboFix Report.. Please note I was required to submit a file for further analysis to Bleeping Computer which was

C:\Documents and Settings\Owner\Desktop.\[4][email protected]


Here is the ComboFix Report.

ComboFix 08-07-13.9 - Owner 2008-07-14 14:19:12.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dwxymrmx.ini
C:\WINDOWS\system32\jPoWvyay.ini
C:\WINDOWS\system32\jPoWvyay.ini2
C:\WINDOWS\system32\rstiwkyh.dll
C:\WINDOWS\system32\sakoeb.dll
C:\WINDOWS\system32\xmrmyxwd.dll
C:\WINDOWS\system32\yayvWoPj.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-13 14:46 . 2008-07-13 14:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-13 14:44 . 2003-04-10 07:05 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\WINDOWS
2008-07-13 14:44 . 2003-04-10 06:50 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\Symantec
2008-07-13 14:44 . 2003-04-10 06:49 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\Sonic
2008-07-13 14:44 . 2003-04-10 07:08 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\SampleView
2008-07-13 14:44 . 2003-04-10 06:58 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\InterTrust
2008-07-13 14:44 . 2003-04-10 06:53 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\interMute
2008-07-13 14:44 . 2008-07-13 14:44 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP
2008-07-13 14:41 . 2008-07-13 15:18 <DIR> d----c--- C:\SDFix
2008-07-12 23:23 . 2008-07-12 23:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 08:07 . 2002-08-29 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-05 02:35 . 2008-07-05 02:35 104,448 --a------ C:\WINDOWS\system32\ecFDI.dll
2008-07-05 02:35 . 2008-07-05 02:35 90,624 --a------ C:\WINDOWS\system32\ecFCI.dll
2008-07-05 02:35 . 2008-07-05 02:35 27,944 --a------ C:\WINDOWS\system32\EclipseCabinet.chm
2008-07-05 02:33 . 2008-07-05 02:33 15,220 --a------ C:\WINDOWS\EP2k.gif
2008-07-02 03:53 . 2008-07-02 03:53 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-07-02 03:51 . 2008-07-02 03:51 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-07-02 03:42 . 2008-07-02 03:42 <DIR> d-------- C:\Program Files\Source Snatcher Full
2008-06-26 14:43 . 2008-06-29 04:33 <DIR> d-------- C:\Program Files\Animated Logo Creator v1.5
2008-06-26 07:07 . 2008-01-30 16:36 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-06-25 07:35 . 2008-06-25 07:36 <DIR> d-------- C:\Program Files\Common Files\logishrd
2008-06-25 07:08 . 2008-06-25 07:08 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-25 07:08 . 2008-06-25 07:08 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-25 07:08 . 2008-06-25 07:08 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-25 06:40 . 2008-04-13 20:12 712,704 --a------ C:\WINDOWS\system32\windowscodecs.dll
2008-06-25 06:40 . 2008-04-13 20:12 346,112 --a------ C:\WINDOWS\system32\windowscodecsext.dll
2008-06-25 06:40 . 2008-04-13 20:12 290,304 --a------ C:\WINDOWS\system32\rhttpaa.dll
2008-06-25 06:40 . 2008-04-13 20:12 276,992 --a------ C:\WINDOWS\system32\wmphoto.dll
2008-06-25 06:40 . 2008-04-13 20:12 69,120 --a------ C:\WINDOWS\system32\wlanapi.dll
2008-06-25 06:40 . 2008-04-13 20:12 61,952 --a------ C:\WINDOWS\system32\rasqec.dll
2008-06-25 06:40 . 2008-04-13 20:12 53,248 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-06-25 06:40 . 2008-04-13 20:12 50,688 --a------ C:\WINDOWS\system32\tspkg.dll
2008-06-25 06:40 . 2008-04-13 20:12 32,768 --a------ C:\WINDOWS\system32\setupn.exe
2008-06-25 06:40 . 2008-04-13 14:40 10,240 --a------ C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-25 06:38 . 2008-04-13 20:11 650,752 --a------ C:\WINDOWS\system32\dot3ui.dll
2008-06-25 06:37 . 2008-04-13 20:11 233,472 --a------ C:\WINDOWS\system32\azroles.dll
2008-06-25 06:37 . 2008-04-13 20:11 136,192 --a------ C:\WINDOWS\system32\aaclient.dll
2008-06-25 06:37 . 2008-04-13 20:11 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-06-25 05:35 . 2008-04-23 00:16 6,066,176 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-25 05:35 . 2007-04-17 05:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-25 05:35 . 2007-03-08 01:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-25 05:35 . 2008-04-23 00:16 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-25 05:35 . 2008-04-23 00:16 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-25 05:35 . 2008-04-23 00:16 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-25 05:35 . 2008-04-23 00:16 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-25 05:35 . 2008-04-23 00:16 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-25 05:35 . 2008-04-22 03:39 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-24 06:06 . 2008-07-11 05:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-24 06:06 . 2008-06-24 06:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-24 06:06 . 2008-07-12 22:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 06:06 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-24 06:06 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-24 06:06 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-24 06:06 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-24 05:55 . 2008-06-24 05:55 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-24 05:35 . 2008-06-13 07:05 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-24 05:34 . 2008-05-08 10:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-20 13:46 . 2008-06-20 13:46 245,248 --a--c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 13:46 . 2008-06-20 13:46 147,968 --a--c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 07:51 . 2008-06-20 07:51 361,600 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 07:40 . 2008-06-20 07:40 138,496 --a--c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 07:08 . 2008-06-20 07:08 225,856 --a--c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-13 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-11 09:21 --------- d-----w C:\Program Files\The Logo Creator v5
2008-07-10 10:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-06 02:55 --------- d-----w C:\Program Files\The Flash Ad Creator v2.5
2008-07-02 07:54 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2008-06-26 19:40 558,101 ----a-w C:\Program Files\uninstal.log
2008-06-25 17:08 --------- d-----w C:\Program Files\Wicked Web Net
2008-06-25 11:38 --------- d-----w C:\Program Files\Logitech
2008-06-24 11:01 --------- d-----w C:\Program Files\Bodog Poker copy
2008-06-24 10:33 --------- d-----w C:\Program Files\PokerStars
2008-06-24 10:09 --------- d-----w C:\Program Files\Lavasoft
2008-06-24 10:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-06-24 09:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 09:55 --------- d-----w C:\Program Files\Common Files\Real
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msinfo.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2006-12-18 23:33 28,064 -c--a-w C:\Program Files\Uninstall2548.DAT
2006-12-18 23:33 13,826 -c--a-w C:\Program Files\UILANG2.UDB
2006-12-18 23:33 13,826 -c--a-w C:\Program Files\UILANG1.UDB
2006-01-06 02:00 3,345 ----a-w C:\Program Files\test.html
2005-08-27 22:26 1,581,056 ----a-w C:\Program Files\SAFlashPlayer.exe
2005-02-03 02:57 28,332 -c--a-w C:\Program Files\Uninstall92AD.DAT
2004-08-07 19:58 135,168 -c--a-w C:\Program Files\MJE.exe
2004-07-21 19:38 6,250 ----a-w C:\Program Files\MJE.html
2003-11-18 11:50 2,087 -c--a-w C:\Program Files\METAL WORSHIP
2003-11-06 03:45 101,250 -c--a-w C:\Program Files\Lite.pm
.

((((((((((((((((((((((((((((( [email protected]_ 3.44.36.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-14 18:37:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_514.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 18:44 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 22:28 81920]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 20:11 114688]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 02:01 57344]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 21:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 19:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 19:14 217088]
"FLMOFFICE4DMOUSE"="C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe" [2007-02-26 22:15 360448]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"fc9bc55a"="C:\WINDOWS\system32\xmrmyxwd.dll" [BU]
"VTPreset"="VTPreset.exe" [2004-02-24 20:17 45056 C:\WINDOWS\system32\VTPreset.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34 5419008]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 23:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-11-03 19:23:39 124912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mxmc"= MimicICM.DLL
"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopSubtract.lnk]
backup=C:\WINDOWS\pss\PopSubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackWeb LiteInstaller
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebWatch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 18:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a--c--- 2002-12-10 22:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a--c--- 2002-12-10 22:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a--c--- 2002-07-17 21:00 200767 C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-12-08 15:56 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=2 (0x2)
"mnmsrvc"=3 (0x3)
"helpsvc"=2 (0x2)
"Themes"=2 (0x2)
"ImapiService"=3 (0x3)
"SENS"=2 (0x2)
"MDM"=2 (0x2)
"wuauserv"=2 (0x2)
"SCardSvr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R2 SocketLock;Raw Socket Lock Driver;C:\WINDOWS\system32\socketlock.sys [2005-02-14 04:56]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 11:05]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2002-12-09 21:19]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2004-07-04 15:22:16 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-03-20 05:44:07 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 14:38:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-07-14 14:52:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-14 18:52:38
ComboFix2.txt 2008-07-14 07:45:14

Pre-Run: 19,629,023,232 bytes free
Post-Run: 19,634,888,704 bytes free

258 --- E O F --- 2008-07-09 08:51:55




NOTE:

While trying to Install MBAM Malware removal the installation as not successful.. Error message stated

C:\Program Files\MalwareBytes' Anti-Malware\mbamext.dll
Unable to Register the DLL/OCX: RegSvr32 failed with exit code 0x5.

It then recommended to abort the installation so I did.
  • 0

#6
Wicked Web

Wicked Web

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Also I forgot to mention that the bodog poker and pokerstars are legit.. I installed them myself.
  • 0

#7
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

If you wouldn't mind, goto http://www.bleepingc...e.php?channel=4
and upload the zipped file.
Use this link for the topic http://www.geekstogo...on-t204916.html
You can leave the comments blank if you wish.

Let's try another program for the moment - uninstall MBAM if it is present in add or remove and delete the setup file.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Then,

Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

  • 0

#8
Wicked Web

Wicked Web

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Very irritated with kaspersky.. Did the entire 3 and a half hour scan. It found infections and when I clicked to save the report the button depressed and locked and I was never able to download a report.. It just never gave me one..
So until I can get this next scan started to try again here is the Super AntiSpyware Report:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/16/2008 at 06:37 AM

Application Version : 4.15.1000

Core Rules Database Version : 3505
Trace Rules Database Version: 1496

Scan type : Complete Scan
Total Scan Time : 01:44:21

Memory items scanned : 394
Memory threats detected : 0
Registry items scanned : 6201
Registry threats detected : 0
File items scanned : 115776
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
.doubleclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
as.casalemedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
network.realmedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.bluestreak.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.tradedoubler.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.azjmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
adserving.autotrader.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.ehg-autotrader.hitbox.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.z1.adserver.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.z1.adserver.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.z1.adserver.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.insightfirst.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.nextag.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.nextag.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
.icc.intellisrv.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
statse.webtrendslive.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\6nf4z2u2.default\cookies.txt ]
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DNALAF.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GELTJTDX.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HHJWKYSR.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MOFFTMXL.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MTRQUF.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YPKGHX.DLL.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FQCMVAJU.DLL.VIR
  • 0

#9
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
I'm sorry to hear that - happened to me before as well :)

If you could re-run the scan that would be great, It looks like everything is in quarantine though.

Also post a new Hijack this log for me please.
  • 0

#10
Wicked Web

Wicked Web

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Taking a look at the kaspersky there looks like there might be one item that is not in quarantine but its just the zip file that I still have that was submitted to bleeping computer... Here is that report.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 17, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 17, 2008 09:45:37
Records in database: 962507
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 129841
Threat name: 1
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 03:24:27


File name / Threat name / Threats count
C:\Documents and Settings\Owner\Desktop\[4][email protected] Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bvrecs.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXOExUo.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hvyusgjy.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rstiwkyh.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sakoeb.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xmrmyxwd.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xovgeyya.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Monderb.gen 1

The selected area was scanned.


Here is the most recent hijack this log following the kaspersky log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:05 PM, on 7/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Screen Shoot-It.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [fc9bc55a] rundll32.exe "C:\WINDOWS\system32\xmrmyxwd.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker copy\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.di...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8676 bytes
  • 0

Advertisements


#11
Wicked Web

Wicked Web

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Also I would like to note that every time I reboot my computer now I get an error message on the desktop that reads like this:

"Error loading C:\WINDOWS\System32\xmrmyxwd.dll
The specified module could not be found"
  • 0

#12
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi,

Almost done. Make sure spyware doctor is disabled for this fix please.

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\system32\xmrmyxwd.dll
C:\Documents and Settings\Owner\Desktop\[4][email protected]
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fc9bc55a"=-
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Post a new Hijack This log as well please.

Edited by Mike, 17 July 2008 - 01:04 PM.

  • 0

#13
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Err, also did you install the following?

Bodog Poker copy
PokerStars
PartyPoker
EmpirePoker


If not uninstall them and tell me in your next reply - I'll get rid of the leftovers.

Edited by Mike, 17 July 2008 - 01:11 PM.

  • 0

#14
Wicked Web

Wicked Web

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I did install them all at one time.. However I have uninstalled all of them except for Bodog Poker through add remove programs.. I will be keeping bodog poker. I just found the Pokerstars in the Programs Folder and deleted it as well.. I never seen Empire or Party Poker Folders though.. I do not need Empire or Party Poker...


Here is the combofix report:


ComboFix 08-07-13.9 - Owner 2008-07-17 15:50:38.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.636 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Owner\Desktop\[4][email protected]
C:\WINDOWS\system32\xmrmyxwd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Desktop\[4][email protected]

.
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-16 14:30 . 2008-07-16 14:30 <DIR> d-------- C:\Program Files\Sun
2008-07-16 14:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-16 04:47 . 2008-07-16 04:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-16 04:47 . 2008-07-16 04:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-07-16 04:47 . 2008-07-16 04:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-16 04:46 . 2008-07-16 04:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-13 14:46 . 2008-07-13 14:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-13 14:44 . 2003-04-10 07:05 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\WINDOWS
2008-07-13 14:44 . 2003-04-10 06:50 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\Symantec
2008-07-13 14:44 . 2003-04-10 06:49 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\Sonic
2008-07-13 14:44 . 2003-04-10 07:08 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\SampleView
2008-07-13 14:44 . 2003-04-10 06:58 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\InterTrust
2008-07-13 14:44 . 2003-04-10 06:53 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP\Application Data\interMute
2008-07-13 14:44 . 2008-07-13 14:44 <DIR> d-------- C:\Documents and Settings\Administrator.METALWORSHIP
2008-07-13 14:41 . 2008-07-13 15:18 <DIR> d----c--- C:\SDFix
2008-07-12 23:23 . 2008-07-12 23:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 08:07 . 2002-08-29 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-05 02:35 . 2008-07-05 02:35 104,448 --a------ C:\WINDOWS\system32\ecFDI.dll
2008-07-05 02:35 . 2008-07-05 02:35 90,624 --a------ C:\WINDOWS\system32\ecFCI.dll
2008-07-05 02:35 . 2008-07-05 02:35 27,944 --a------ C:\WINDOWS\system32\EclipseCabinet.chm
2008-07-05 02:33 . 2008-07-05 02:33 15,220 --a------ C:\WINDOWS\EP2k.gif
2008-07-02 03:53 . 2008-07-02 03:53 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-07-02 03:51 . 2008-07-02 03:51 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-07-02 03:42 . 2008-07-02 03:42 <DIR> d-------- C:\Program Files\Source Snatcher Full
2008-06-26 14:43 . 2008-06-29 04:33 <DIR> d-------- C:\Program Files\Animated Logo Creator v1.5
2008-06-26 07:07 . 2008-01-30 16:36 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-06-25 07:35 . 2008-06-25 07:36 <DIR> d-------- C:\Program Files\Common Files\logishrd
2008-06-25 07:08 . 2008-06-25 07:08 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-25 07:08 . 2008-06-25 07:08 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-25 07:08 . 2008-06-25 07:08 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-25 06:40 . 2008-04-13 20:12 712,704 --a------ C:\WINDOWS\system32\windowscodecs.dll
2008-06-25 06:40 . 2008-04-13 20:12 346,112 --a------ C:\WINDOWS\system32\windowscodecsext.dll
2008-06-25 06:40 . 2008-04-13 20:12 290,304 --a------ C:\WINDOWS\system32\rhttpaa.dll
2008-06-25 06:40 . 2008-04-13 20:12 276,992 --a------ C:\WINDOWS\system32\wmphoto.dll
2008-06-25 06:40 . 2008-04-13 20:12 69,120 --a------ C:\WINDOWS\system32\wlanapi.dll
2008-06-25 06:40 . 2008-04-13 20:12 61,952 --a------ C:\WINDOWS\system32\rasqec.dll
2008-06-25 06:40 . 2008-04-13 20:12 53,248 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-06-25 06:40 . 2008-04-13 20:12 50,688 --a------ C:\WINDOWS\system32\tspkg.dll
2008-06-25 06:40 . 2008-04-13 20:12 32,768 --a------ C:\WINDOWS\system32\setupn.exe
2008-06-25 06:40 . 2008-04-13 14:40 10,240 --a------ C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-25 06:38 . 2008-04-13 20:11 650,752 --a------ C:\WINDOWS\system32\dot3ui.dll
2008-06-25 06:37 . 2008-04-13 20:11 233,472 --a------ C:\WINDOWS\system32\azroles.dll
2008-06-25 06:37 . 2008-04-13 20:11 136,192 --a------ C:\WINDOWS\system32\aaclient.dll
2008-06-25 06:37 . 2008-04-13 20:11 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-06-25 05:35 . 2008-04-23 00:16 6,066,176 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-25 05:35 . 2007-04-17 05:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-25 05:35 . 2007-03-08 01:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-25 05:35 . 2008-04-23 00:16 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-25 05:35 . 2008-04-23 00:16 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-25 05:35 . 2008-04-23 00:16 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-25 05:35 . 2008-04-23 00:16 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-25 05:35 . 2008-04-23 00:16 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-25 05:35 . 2008-04-22 03:39 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-24 06:06 . 2008-07-11 05:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-24 06:06 . 2008-06-24 06:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-24 06:06 . 2008-07-12 22:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 06:06 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-24 06:06 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-24 06:06 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-24 06:06 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-24 05:55 . 2008-06-24 05:55 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-24 05:35 . 2008-06-13 07:05 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-24 05:34 . 2008-05-08 10:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-20 13:46 . 2008-06-20 13:46 245,248 --a--c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 13:46 . 2008-06-20 13:46 147,968 --a--c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 07:51 . 2008-06-20 07:51 361,600 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 07:40 . 2008-06-20 07:40 138,496 --a--c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 07:08 . 2008-06-20 07:08 225,856 --a--c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-16 18:34 --------- d-----w C:\Program Files\Java
2008-07-13 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-11 09:21 --------- d-----w C:\Program Files\The Logo Creator v5
2008-07-10 10:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-06 02:55 --------- d-----w C:\Program Files\The Flash Ad Creator v2.5
2008-07-02 07:54 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2008-06-26 19:40 558,101 ----a-w C:\Program Files\uninstal.log
2008-06-25 17:08 --------- d-----w C:\Program Files\Wicked Web Net
2008-06-25 11:38 --------- d-----w C:\Program Files\Logitech
2008-06-25 11:11 77,824 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\WinVerifyTrust.dll
2008-06-25 11:11 49,152 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\PCHI18N.dll
2008-06-25 11:11 420,432 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\pchplugin.zip
2008-06-25 11:11 159,744 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\PCHButton.exe
2008-06-25 11:11 106,496 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\PluginCtrl.dll
2008-06-25 11:10 126,976 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\ContentUpdater.exe
2008-06-25 11:10 122,880 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\SearchCtrl.dll
2008-06-25 11:10 1,306,152 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\motdeusr.zip
2008-06-24 11:01 --------- d-----w C:\Program Files\Bodog Poker copy
2008-06-24 10:09 --------- d-----w C:\Program Files\Lavasoft
2008-06-24 10:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-06-24 09:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 09:55 --------- d-----w C:\Program Files\Common Files\Real
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2006-12-18 23:33 28,064 -c--a-w C:\Program Files\Uninstall2548.DAT
2006-12-18 23:33 13,826 -c--a-w C:\Program Files\UILANG2.UDB
2006-12-18 23:33 13,826 -c--a-w C:\Program Files\UILANG1.UDB
2006-01-06 02:00 3,345 ----a-w C:\Program Files\test.html
2005-08-27 22:26 1,581,056 ----a-w C:\Program Files\SAFlashPlayer.exe
2005-02-03 02:57 28,332 -c--a-w C:\Program Files\Uninstall92AD.DAT
2004-08-07 19:58 135,168 -c--a-w C:\Program Files\MJE.exe
2004-07-21 19:38 6,250 ----a-w C:\Program Files\MJE.html
2003-11-18 11:50 2,087 -c--a-w C:\Program Files\METAL WORSHIP
2003-11-06 03:45 101,250 -c--a-w C:\Program Files\Lite.pm
.

((((((((((((((((((((((((((((( [email protected]_ 3.44.36.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-10 19:27:06 49,248 -c--a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 19:27:16 49,250 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 21:03:54 127,078 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-07-17 18:56:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 18:44 196608]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 22:28 81920]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 20:11 114688]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 02:01 57344]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 21:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 19:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 19:14 217088]
"FLMOFFICE4DMOUSE"="C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe" [2007-02-26 22:15 360448]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"VTPreset"="VTPreset.exe" [2004-02-24 20:17 45056 C:\WINDOWS\system32\VTPreset.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34 5419008]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 23:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-11-03 19:23:39 124912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mxmc"= MimicICM.DLL
"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopSubtract.lnk]
backup=C:\WINDOWS\pss\PopSubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackWeb LiteInstaller
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebWatch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 18:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a--c--- 2002-12-10 22:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a--c--- 2002-12-10 22:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a--c--- 2002-07-17 21:00 200767 C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-12-08 15:56 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=2 (0x2)
"mnmsrvc"=3 (0x3)
"helpsvc"=2 (0x2)
"Themes"=2 (0x2)
"ImapiService"=3 (0x3)
"SENS"=2 (0x2)
"MDM"=2 (0x2)
"wuauserv"=2 (0x2)
"SCardSvr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R2 SocketLock;Raw Socket Lock Driver;C:\WINDOWS\system32\socketlock.sys [2005-02-14 04:56]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 11:05]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2002-12-09 21:19]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2004-07-04 15:22:16 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-03-20 05:44:07 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 15:54:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-07-17 16:00:28
ComboFix-quarantined-files.txt 2008-07-17 19:59:49
ComboFix2.txt 2008-07-14 18:52:45
ComboFix3.txt 2008-07-14 07:45:14

Pre-Run: 18,685,075,456 bytes free
Post-Run: 18,696,704,000 bytes free

268 --- E O F --- 2008-07-16 08:45:01



And here is the Newest HijackThis Report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:25 PM, on 7/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Navigator Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker copy\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.di...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8568 bytes
  • 0

#15
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Good,

You also seem to have viewpoint installed, Its considered foistware but has been said to moving over to being catagorized as malware,

If you wish uninstall Viewpoint and delete these folders:

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\program files\Viewpoint

Fix these lines with Hijack This:
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -



After that your logs are clean :)

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

&

Now please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.

You may keep SUPERAntiSpyware if you wish - or you can uninstall it.

Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:
  • Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
    Things you can do to avoid downloading bad programs:
    • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
    • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
    • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
    • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
  • Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
  • Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
  • Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
I have listed two programs to boost your security while using no resources.
  • SpywareBlaster Take a look at the tutorial here.
  • ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP