[jfotodog]

Hi all,

Trying to fix this computer for a friend. My typical response to this type of malware is blow everything away and start from scratch. (Saves hours of frustration)

Anyway, I don't have that option at the moment so here I am. Started a week ago, Audio just kicks in to say that she won a gift card from Walmart or won a free i-Pod.

She was told to run a bunch of anti-Spyware utilities by her neighbor but nothing was resolved. I ran HJT and ComboFix but am still running into the same issue. After ComboFix was run, log came up but once I closed the log file, I had to go to the task manager to reboot.

ComboFix was run first then HJT.


===================================================


ComboFix 08-08-19.06 - Jennifer 2008-08-21 19:19:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.487 [GMT -4:00]
Running from: C:\Documents and Settings\Jennifer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jennifer\Desktop\WinXP_EN_HOM_BF.EXE
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jennifer\Application Data\macromedia\Flash Player\#SharedObjects\BJNX25FU\interclick.com
C:\Documents and Settings\Jennifer\Application Data\macromedia\Flash Player\#SharedObjects\BJNX25FU\interclick.com\ud.sol
C:\Documents and Settings\Jennifer\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jennifer\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\KXPHKLTB\interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\KXPHKLTB\interclick.com\ud.sol
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
C:\Documents and Settings\Noah Benson\Application Data\macromedia\Flash Player\#SharedObjects\YDQ4ZE98\interclick.com
C:\Documents and Settings\Noah Benson\Application Data\macromedia\Flash Player\#SharedObjects\YDQ4ZE98\interclick.com\ud.sol
C:\Documents and Settings\Noah Benson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Noah Benson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-21 18:34 . 2008-08-21 18:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-21 18:34 . 2008-08-21 18:34 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\Malwarebytes
2008-08-21 18:34 . 2008-08-21 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-21 18:34 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-21 18:34 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-20 23:17 . 2008-08-21 07:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-20 22:47 . 2008-08-20 22:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 18:49 . 2008-08-20 18:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-20 18:49 . 2008-08-20 18:49 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\SUPERAntiSpyware.com
2008-08-20 18:49 . 2008-08-20 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-20 08:32 . 2008-08-20 08:32 <DIR> d-------- C:\Program Files\Sun
2008-08-19 21:14 . 2008-08-21 15:29 80,898 --a------ C:\WINDOWS\system32\7X1wxj7y.exe_
2008-08-19 21:14 . 2008-08-21 18:19 80,898 --a------ C:\WINDOWS\system32\7X1wxj7y.exe
2008-08-16 18:54 . 2008-08-16 18:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-16 18:54 . 2008-08-20 18:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-16 18:54 . 2008-08-16 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-15 20:44 . 2008-08-15 20:44 0 --a------ C:\WINDOWS\system32\7X1wxj7y.exe.a_a
2008-08-15 18:32 . 2008-08-15 18:31 29,760 --a------ C:\WINDOWS\system32\Lm0811L3.exe
2008-08-15 18:32 . 2008-08-15 18:32 0 --a------ C:\WINDOWS\system32\Lm0811L3.exe.a_a
2008-08-11 20:29 . 2008-08-11 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-11 20:05 . 2008-08-11 20:05 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-11 11:02 . 2008-08-11 11:02 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-03 21:34 . 2008-08-03 21:34 <DIR> d-------- C:\Program Files\iPod
2008-07-28 18:21 . 2008-07-28 18:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-21 10:53 . 2008-07-21 10:53 57,356 --ah----- C:\WINDOWS\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 03:18 --------- d-----w C:\Program Files\Google
2008-08-20 12:32 --------- d-----w C:\Program Files\Java
2008-08-20 03:13 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-13 10:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-12 01:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-05 23:10 --------- d-----w C:\Program Files\McAfee
2008-08-04 01:35 --------- d-----w C:\Program Files\iTunes
2008-07-21 14:52 --------- d-----w C:\Documents and Settings\Jennifer\Application Data\Apple Computer
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-12 17:21 --------- d-----w C:\Program Files\Autobahn
2008-07-12 11:19 --------- d-----w C:\Program Files\QuickTime
2008-07-12 11:19 --------- d-----w C:\Program Files\Bonjour
2008-07-12 11:12 --------- d-----w C:\Program Files\Safari
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-04 18:18 --------- d-----w C:\Program Files\NOS
2008-07-04 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-04 18:09 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-01 13:29 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 08:47 68856]

C:\Documents and Settings\Noah Benson\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-11-07 17:21 114688 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-06-29 13:33 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-06-29 12:25 14720000 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-21 C:\WINDOWS\Tasks\WebReg officejet 6300 series.job
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe [2006-06-07 17:45]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\zbhavlw4.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.3.1314.1135\npCIDetect12.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 19:24:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-21 19:25:36
ComboFix-quarantined-files.txt 2008-08-21 23:25:29

Pre-Run: 43,646,791,680 bytes free
Post-Run: 45,287,899,136 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

184 --- E O F --- 2008-08-20 03:13:30

[jfotodog]

Both of these applications found this trojan. I had my friend use PrevxCSI to remove it. So problem is resolved with rebuilding the computer.