Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

"Trojan Horse, PassCapture and etc." Black Desktop. Help!

(In Progress)
(!)

timiuser's Avatar
timiuser timiuser is offline
Computer Specs
Member with 42 posts.
THREAD STARTER
 
Join Date: Apr 2009
Experience: Beginner
27-Apr-2009, 01:42 PM #1
Unhappy "Trojan Horse, PassCapture and etc." Black Desktop. Help!
I think I picked up a virus. I get constant pop ups in firefox and internet exlporer. My desktop has gone completely black and it says:

"Warning: Dangerous Spyware. Following viruses were found on your computer: Trojan horse, Passcapture and etc. Your private information may be potentially transferred to third parties. Please, check computer using advanced software. Thanks."

And when I try to open task manager it says that access has been denied by the administrator.

Please help!


Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:56 PM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Documents and Settings\Owner\Application Data\pidle\pidle.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\3493314460.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: C:\WINDOWS\system32\yhs783ijfo3fe.dll - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll
O2 - BHO: (no name) - {c37f09a0-43f7-49a4-a265-4ce61a56458e} - C:\WINDOWS\system32\tuneyevi.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [emMON] HCWemMON.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [38a25a5a] rundll32.exe "C:\WINDOWS\system32\puwisuro.dll",b
O4 - HKLM\..\Run: [CPM3b9169c6] Rundll32.exe "c:\windows\system32\jelukahu.dll",a
O4 - HKLM\..\Run: [rolerofota] Rundll32.exe "C:\WINDOWS\system32\towoyila.dll",s
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\Owner\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\3493314460.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\wkfbr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\wkfbr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\814786118.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\wkfbr.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{55297BFE-2DD2-45A8-868C-82BCA3D8369E}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{B15B7F7A-B959-4BC2-B2C5-8718B30EFFDA}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE2D8502-8A59-491D-BF21-F804B6EC3BFF}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O17 - HKLM\System\CS3\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O17 - HKLM\System\CS4\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O17 - HKLM\System\CS5\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll c:\windows\system32\jelukahu.dll,C:\WINDOWS\system32\bibegipe.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jelukahu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jelukahu.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10378 bytes
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.

Last edited by timiuser; 27-Apr-2009 at 09:25 PM..
timiuser's Avatar
timiuser timiuser is offline
Computer Specs
Member with 42 posts.
THREAD STARTER
 
Join Date: Apr 2009
Experience: Beginner
28-Apr-2009, 11:11 PM #2
bump
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,022 posts.
 
Join Date: Aug 2003
29-Apr-2009, 02:25 PM #3
Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
__________________
Microsoft MVP - Consumer Security
timiuser's Avatar
timiuser timiuser is offline
Computer Specs
Member with 42 posts.
THREAD STARTER
 
Join Date: Apr 2009
Experience: Beginner
29-Apr-2009, 08:42 PM #4
Thanks very much, Cookiegal!

So I followed the instructions and ran Combo-Fix. The only problem I encountered was that I couldn't quit an anti-virus program called AVG Anti-Virus Free. I tried to uninstall it but couldn't because Word kept opening on my computer. I tried to access task manager to quit it but it said that my task manager was locked by the administrator.

Also, while Combo-Fix was running, it told me to note a few codes it came up with for "later" use. Here they are:

c:\windows\system32\ovfsthbbquhxxkmwbvwosbcmutjlnouvydolwi.dat
c:\windows\system32\ovfsthfsnqbhydhehqplypdevvossxsdyadyas.dat
c:\windows\system32\ovfsthgcfybutqrmftjlnoptatemgodymgsymx.dll
c:\windows\system32\ovfsthoktfqlixhdqgoifyhaknlcxqbpwisekh.dll
c:\windows\system32\ovfsthxvmqewiaypyeseqtfxvysdosmwfpcbwr.dll


And here are the Combo-Fix and the Hijack This logs, respectively:

ComboFix 09-04-29.01 - Owner 04/29/2009 21:08.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.183 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Rabio
c:\documents and settings\Owner\Application Data\twain\Twain.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Cpvff.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Owner\protect.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\absolute key logger.lnk
c:\windows\aconti.ini
c:\windows\aconti.log
c:\windows\aconti.sdb
c:\windows\acontidialer.txt
c:\windows\default.htm
c:\windows\system32\__c0072EDE.dat
c:\windows\system32\998.exe
c:\windows\system32\acespy
c:\windows\system32\acespy\__acelog.ndx
c:\windows\system32\acespy\systune.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\autochk.dll
c:\windows\system32\bibegipe.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\din.ip
c:\windows\system32\drivers\ovfsthuxnshutamfxrontrjetmoryxtrvkixrv.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\erukidaj.ini
c:\windows\system32\frmwrk32.exe
c:\windows\system32\higalepo.dll
c:\windows\system32\inudukul.ini
c:\windows\system32\jadikure.dll
c:\windows\system32\jelukahu.dll
c:\windows\system32\kihipapo.dll
c:\windows\system32\ksvcl.dll
c:\windows\system32\loader266.exe
c:\windows\system32\loader49.exe
c:\windows\system32\lukuduni.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\ntdll64.exe
c:\windows\system32\okkprcvq.ini
c:\windows\system32\omugakoy.ini
c:\windows\system32\opelagih.ini
c:\windows\system32\orusiwup.ini
c:\windows\system32\ovfsthbbquhxxkmwbvwosbcmutjlnouvydolwi.dat
c:\windows\system32\ovfsthfsnqbhydhehqplypdevvossxsdyadyas.dat
c:\windows\system32\ovfsthgcfybutqrmftjlnoptatemgodymgsymx.dll
c:\windows\system32\ovfsthoktfqlixhdqgoifyhaknlcxqbpwisekh.dll
c:\windows\system32\ovfsthxvmqewiaypyeseqtfxvysdosmwfpcbwr.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\pagifali.dll
c:\windows\system32\pohulomo.dll
c:\windows\system32\prnet.tmp
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\sznf.ascii
c:\windows\system32\tmp.reg
c:\windows\system32\towoyila.dll
c:\windows\system32\tuneyevi.dll
c:\windows\system32\uniq.tll
c:\windows\system32\VCCLSID.exe
c:\windows\system32\warning.gif
c:\windows\system32\winglsetup.exe
c:\windows\system32\wopebulu.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\yejedotu.exe
c:\windows\system32\yhs783ijfo3fe.dll
c:\windows\system32\zoyegetu.dll
c:\windows\TEMP\132344256.exe
c:\windows\TEMP\1427322688.exe
c:\windows\TEMP\2518703504.exe
c:\windows\TEMP\3892445992.exe
c:\windows\TEMP\814786118.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthrpdvjnswutewberafwkppkfmituwkymr


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 00:40 . 2009-04-30 00:40 -------- d-----w C:\32788R22FWJFW
2009-04-27 20:57 . 2009-04-28 17:38 -------- d-----w c:\documents and settings\Owner\Application Data\digifast
2009-04-27 20:52 . 2009-04-30 01:09 -------- d-----w c:\documents and settings\Owner\Application Data\Twain
2009-04-27 20:47 . 2009-04-27 20:47 -------- d-----w c:\program files\WWShow
2009-04-27 20:42 . 2009-04-27 20:42 -------- d-----w c:\program files\Jcore
2009-04-27 20:29 . 2009-04-30 00:18 27648 ----a-w c:\windows\system32\lmppcsetup.exe
2009-04-27 20:07 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-27 18:26 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-27 18:26 . 2009-04-27 18:26 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-27 18:25 . 2009-04-27 18:25 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-27 18:24 . 2009-04-27 18:26 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-27 04:11 . 2009-04-27 17:40 -------- d--h--w C:\$AVG8.VAULT$
2009-04-27 03:50 . 2009-04-27 03:50 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-27 03:50 . 2009-04-27 03:50 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-27 03:50 . 2009-04-27 03:50 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-27 03:50 . 2009-04-27 03:50 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-27 03:50 . 2009-04-27 03:50 -------- d-----w c:\program files\AVG
2009-04-27 03:50 . 2009-04-30 00:38 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-26 22:47 . 2009-04-26 22:47 -------- d-----w c:\program files\Trend Micro
2009-04-26 20:36 . 2009-04-26 20:36 -------- d-----w c:\documents and settings\Owner\Application Data\pidle
2009-04-11 22:23 . 2009-04-11 22:23 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-03-31 18:22 . 2009-03-31 18:22 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Apple
2009-03-31 18:20 . 2009-03-31 18:21 -------- d-----w c:\program files\Apple Software Update
2009-03-31 18:20 . 2009-03-31 18:20 -------- d-----w c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 17:25 . 2009-04-28 17:25 162 ---ha-w c:\windows\system32\~$prnet.tmp
2009-04-27 20:07 . 2007-10-23 06:27 -------- d-----w c:\program files\Adsense Helper Object
2009-04-27 18:24 . 2006-01-01 03:26 -------- d-----w c:\program files\Lavasoft
2009-04-27 15:30 . 2007-10-23 04:51 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 15:05 . 2009-01-27 15:05 52224 --sha-w c:\windows\system32\legidonu.exe
2009-04-26 20:41 . 2009-01-26 20:41 52224 --sha-w c:\windows\system32\lilayeti.exe
2009-03-31 18:25 . 2005-11-27 04:44 -------- d-----w c:\program files\QuickTime
2009-03-31 04:26 . 2005-09-12 19:00 -------- d-----w c:\program files\Real
2009-03-31 04:26 . 2005-09-12 19:00 -------- d-----w c:\program files\Common Files\Real
2009-03-31 04:25 . 2005-09-12 18:49 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 18:58 . 2008-08-13 15:36 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-16 04:42 . 2009-02-02 00:39 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-01 18:29 . 2005-11-27 03:30 1896 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-04-27 20:59 . 2009-04-27 20:59 211968 ----a-w c:\program files\mozilla firefox\components\dfff.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
2009-01-26 20:36 . 2009-01-26 20:36 49152 --sha-w c:\windows\system32\guzuyavu.dll.tmp
2009-01-26 20:36 . 2009-01-26 20:36 49152 --sha-w c:\windows\system32\heravole.dll.tmp
2009-01-26 20:36 . 2009-01-26 20:36 49152 --sha-w c:\windows\system32\tigefeki.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"pidle"="c:\documents and settings\Owner\Application Data\pidle\pidle.exe" [2009-04-26 56832]
"DigiFast"="c:\documents and settings\Owner\Application Data\digifast\digifast.exe" [2009-04-27 225792]
"H25k"="c:\documents and settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe" [2009-04-27 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-05-13 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-05-13 126976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-27 1932568]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"emMON"="HCWemMON.exe" - c:\windows\HCWemMON.exe [2006-05-31 61440]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-29 24064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Script execution time was exceeded on script "c:\combo-fix\lnkread.vbs".
Script execution was terminated.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-27 03:50 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\BigFix\\BigFix.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-27 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-27 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-27 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-27 298264]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys [2004-02-23 14976]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - avg8emc
*Deregistered* - avg8wd
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CCALib8
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - iPodService
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - PrismXL
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Viewpoint Manager Service
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll
BHO-{c37f09a0-43f7-49a4-a265-4ce61a56458e} - c:\windows\system32\tuneyevi.dll
WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
HKCU-Run-prnet - c:\windows\system32\prnet.tmp
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-prnet - c:\windows\system32\prnet.tmp
HKLM-Run-autochk - c:\windows\system32\autochk.dll
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\wkfbr.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\2518703504.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
HKU-Default-Run-A00FE9D93.exe - c:\windows\TEMP\_A00FE9D93.exe
SharedTaskScheduler-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kihipapo.dll
Notify-__c0072EDE - c:\windows\system32\__c0072EDE.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\dfff.dll
FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\extensions\firefox@tvunetwor ks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\extensions\moveplayer@movene tworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 21:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(600)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\BigFix\BigFix.exe
c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-04-30 21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 01:27

Pre-Run: 7,752,544,256 bytes free
Post-Run: 7,733,088,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
335 --- E O F --- 2008-09-21 20:06




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:43 PM, on 4/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\pidle\pidle.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Documents and Settings\Owner\Application Data\DigiFast\digifast.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [emMON] HCWemMON.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\Owner\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [DigiFast] C:\Documents and Settings\Owner\Application Data\digifast\digifast.exe
O4 - HKCU\..\Run: [H25k] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7712 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,022 posts.
 
Join Date: Aug 2003
30-Apr-2009, 02:01 PM #5
Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\legidonu.exe
c:\windows\system32\lilayeti.exe
c:\program files\mozilla firefox\components\dfff.dll
c:\program files\mozilla firefox\components\WWShow.dll
c:\windows\system32\guzuyavu.dll.tmp
c:\windows\system32\heravole.dll.tmp
c:\windows\system32\tigefeki.dll.tmp
c:\documents and settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll

Folder::
c:\documents and settings\Owner\Application Data\digifast
c:\documents and settings\Owner\Application Data\Twain
c:\program files\WWShow
c:\program files\Jcore
c:\documents and settings\Owner\Application Data\pidle
c:\program files\Adsense Helper Object

DirLook::
C:\32788R22FWJFW

registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
pidle"=-
"DigiFast"=- 
"H25k"=-
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
timiuser's Avatar
timiuser timiuser is offline
Computer Specs
Member with 42 posts.
THREAD STARTER
 
Join Date: Apr 2009
Experience: Beginner
30-Apr-2009, 02:26 PM #6
Here they are:

ComboFix 09-04-29.01 - Owner 04/30/2009 15:18.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.115 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
c:\program files\mozilla firefox\components\dfff.dll
c:\program files\mozilla firefox\components\WWShow.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\guzuyavu.dll.tmp
c:\windows\system32\heravole.dll.tmp
c:\windows\system32\legidonu.exe
c:\windows\system32\lilayeti.exe
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\tigefeki.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\digifast
c:\documents and settings\Owner\Application Data\digifast\config.cfg
c:\documents and settings\Owner\Application Data\digifast\DFUninstall.exe
c:\documents and settings\Owner\Application Data\digifast\digifast.exe
c:\documents and settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
c:\documents and settings\Owner\Application Data\pidle
c:\documents and settings\Owner\Application Data\pidle\pidle.exe
c:\documents and settings\Owner\Application Data\Twain
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Cpvff.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Adsense Helper Object
c:\program files\Jcore
c:\program files\Jcore\Jcore2.dll
c:\program files\mozilla firefox\components\dfff.dll
c:\program files\mozilla firefox\components\WWShow.dll
c:\program files\WWShow
c:\program files\WWShow\WWShow.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\guzuyavu.dll.tmp
c:\windows\system32\heravole.dll.tmp
c:\windows\system32\legidonu.exe
c:\windows\system32\lilayeti.exe
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\tigefeki.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 19:15 . 2009-04-30 19:15 -------- d-----w c:\windows\LastGood
2009-04-27 20:07 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-27 18:26 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-27 18:26 . 2009-04-27 18:26 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-27 18:25 . 2009-04-27 18:25 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-27 18:24 . 2009-04-27 18:26 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-27 04:11 . 2009-04-27 17:40 -------- d--h--w C:\$AVG8.VAULT$
2009-04-27 03:50 . 2009-04-30 01:47 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-26 22:47 . 2009-04-26 22:47 -------- d-----w c:\program files\Trend Micro
2009-04-11 22:23 . 2009-04-11 22:23 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 17:25 . 2009-04-28 17:25 162 ---ha-w c:\windows\system32\~$prnet.tmp
2009-04-27 18:24 . 2006-01-01 03:26 -------- d-----w c:\program files\Lavasoft
2009-04-27 15:30 . 2007-10-23 04:51 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-31 18:25 . 2005-11-27 04:44 -------- d-----w c:\program files\QuickTime
2009-03-31 18:21 . 2009-03-31 18:20 -------- d-----w c:\program files\Apple Software Update
2009-03-31 04:26 . 2005-09-12 19:00 -------- d-----w c:\program files\Real
2009-03-31 04:26 . 2005-09-12 19:00 -------- d-----w c:\program files\Common Files\Real
2009-03-31 04:25 . 2005-09-12 18:49 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 18:58 . 2008-08-13 15:36 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-16 04:42 . 2009-02-02 00:39 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-09 10:19 . 2004-08-26 16:12 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-01 18:29 . 2005-11-27 03:30 1896 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\32788R22FWJFW ----



((((((((((((((((((((((((((((( SnapShot@2009-04-30_01.16.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-30 20:45 . 2008-09-30 20:45 91656 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2009-04-30 19:13 . 2009-04-30 19:13 16384 c:\windows\TEMP\Perflib_Perfdata_2e0.dat
+ 2005-05-26 09:16 . 2008-10-16 18:09 43544 c:\windows\system32\wups2.dll
+ 2004-08-26 18:01 . 2008-10-16 18:08 34328 c:\windows\system32\wups.dll
+ 2004-08-26 18:01 . 2008-10-16 18:09 51224 c:\windows\system32\wuauclt.exe
+ 2005-09-12 19:11 . 2007-07-27 13:41 26488 c:\windows\system32\spupdsvc.exe
- 2008-01-31 03:04 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2008-01-31 03:04 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2009-04-30 01:22 . 2008-10-16 18:09 43544 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2 .6001.788\wups2.dll
+ 2009-04-30 01:22 . 2008-10-16 18:08 34328 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2. 6001.788\wups.dll
+ 2004-08-26 18:01 . 2008-10-16 18:08 34328 c:\windows\system32\dllcache\wups.dll
+ 2004-08-26 18:01 . 2008-10-16 18:09 51224 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-26 16:11 . 2008-10-16 18:09 92696 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-26 16:11 . 2008-10-16 18:09 92696 c:\windows\system32\cdm.dll
+ 2009-04-30 05:02 . 2009-04-30 05:02 32768 c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2005-09-12 19:10 . 2008-02-15 09:06 351744 c:\windows\system32\xpsp3res.dll
+ 2004-08-26 18:01 . 2008-10-16 18:13 202776 c:\windows\system32\wuweb.dll
+ 2004-08-26 18:01 . 2008-10-16 18:12 323608 c:\windows\system32\wucltui.dll
+ 2004-08-26 18:01 . 2008-10-16 18:12 561688 c:\windows\system32\wuapi.dll
- 2004-08-26 16:12 . 2004-08-04 19:00 351232 c:\windows\system32\winhttp.dll
+ 2004-08-26 16:12 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll
+ 2004-08-26 16:12 . 2008-10-03 10:15 247326 c:\windows\system32\strmdll.dll
+ 2004-08-26 16:12 . 2008-10-15 16:57 332800 c:\windows\system32\netapi32.dll
+ 2004-08-26 16:11 . 2008-10-23 13:01 283648 c:\windows\system32\gdi32.dll
+ 2004-08-26 10:54 . 2009-04-30 19:13 151584 c:\windows\system32\FNTCACHE.DAT
- 2004-08-26 10:54 . 2007-10-23 07:31 151584 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-26 16:12 . 2008-12-11 11:57 333184 c:\windows\system32\drivers\srv.sys
+ 2004-08-26 16:12 . 2008-10-24 11:10 453632 c:\windows\system32\drivers\mrxsmb.sys
+ 2004-08-26 18:01 . 2008-10-16 18:13 202776 c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-26 18:01 . 2008-10-16 18:12 323608 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-26 18:01 . 2008-10-16 18:12 561688 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-26 16:12 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll
- 2004-08-26 16:12 . 2004-08-04 19:00 351232 c:\windows\system32\dllcache\winhttp.dll
+ 2004-08-26 16:12 . 2008-10-03 10:15 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2004-08-26 16:12 . 2008-12-11 11:57 333184 c:\windows\system32\dllcache\srv.sys
+ 2004-08-26 16:12 . 2008-10-15 16:57 332800 c:\windows\system32\dllcache\netapi32.dll
+ 2006-05-05 09:41 . 2008-10-24 11:10 453632 c:\windows\system32\dllcache\mrxsmb.sys
+ 2004-08-26 16:11 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll
+ 2005-09-12 19:15 . 2008-10-24 11:10 453632 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-09-30 20:42 . 2008-09-30 20:42 1286152 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2004-08-26 18:01 . 2008-10-16 18:13 1809944 c:\windows\system32\wuaueng.dll
+ 2004-08-26 16:12 . 2008-07-03 13:03 8460800 c:\windows\system32\shell32.dll
+ 2008-09-30 20:43 . 2008-09-30 20:43 1286152 c:\windows\system32\msxml4.dll
+ 2004-08-26 16:12 . 2008-09-04 16:42 1106944 c:\windows\system32\msxml3.dll
+ 2004-08-26 18:01 . 2008-10-16 18:13 1809944 c:\windows\system32\dllcache\wuaueng.dll
+ 2004-08-26 16:12 . 2009-02-09 10:19 1846272 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-26 16:12 . 2008-07-03 13:03 8460800 c:\windows\system32\dllcache\shell32.dll
+ 2004-08-26 16:12 . 2008-09-04 16:42 1106944 c:\windows\system32\dllcache\msxml3.dll
+ 2004-08-26 16:12 . 2008-11-11 22:34 10838016 c:\windows\system32\wmp.dll
+ 2004-08-26 16:12 . 2008-11-11 22:34 10838016 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-05-13 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-05-13 126976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"emMON"="HCWemMON.exe" - c:\windows\HCWemMON.exe [2006-05-31 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-9-12 1742384]
BounceBack Launcher.lnk - c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe [2006-2-6 98304]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BigFix\\BigFix.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys [2004-02-23 14976]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-pidle - c:\documents and settings\Owner\Application Data\pidle\pidle.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\extensions\firefox@tvunetwor ks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\extensions\moveplayer@movene tworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 15:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-30 15:23
ComboFix-quarantined-files.txt 2009-04-30 19:22
ComboFix2.txt 2009-04-30 01:29

Pre-Run: 7,317,864,448 bytes free
Post-Run: 7,319,453,696 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
228 --- E O F --- 2009-04-30 05:04




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:32 PM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [emMON] HCWemMON.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6354 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,022 posts.
 
Join Date: Aug 2003
01-May-2009, 02:44 PM #7
Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
timiuser's Avatar
timiuser timiuser is offline
Computer Specs
Member with 42 posts.
THREAD STARTER
 
Join Date: Apr 2009
Experience: Beginner
01-May-2009, 03:20 PM #8
Here's the report:

Malwarebytes' Anti-Malware 1.36
Database version: 2066
Windows 5.1.2600 Service Pack 2

5/1/2009 4:15:23 PM
mbam-log-2009-05-01 (16-15-23).txt

Scan type: Quick Scan
Objects scanned: 94651
Time elapsed: 8 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 22
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\silent.coolbho (Adware.Rabio) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\silent.coolbho.1 (Adware.Rabio) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3be18056-e742-4777-a09f-426bf38dc235} (Adware.Rabio) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c1b0024f-d9db-4653-bca0-0cb670428f6a} (Adware.Rabio) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{57a8860b-6d4a-4b77-a485-303f0abb920c} (Adware.Rabio) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MsSC2 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cool (Adware.Webbuying) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Cool (Adware.Webbuying) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Cool (Adware.Webbuying) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Silent.DLL (Adware.Webbuying) -> Quarantined and deleted successfully.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prn et (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{1919ef7c-f248-4e2e-9280-b58c21c063cc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{55297bfe-2dd2-45a8-868c-82bca3d8369e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{955bff23-dcb0-49a8-8d84-4f570d95e42b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interface s\{1919ef7c-f248-4e2e-9280-b58c21c063cc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interface s\{55297bfe-2dd2-45a8-868c-82bca3d8369e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interface s\{955bff23-dcb0-49a8-8d84-4f570d95e42b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interface s\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interface s\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interface s\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interface s\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interface s\{1919ef7c-f248-4e2e-9280-b58c21c063cc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interface s\{55297bfe-2dd2-45a8-868c-82bca3d8369e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interface s\{955bff23-dcb0-49a8-8d84-4f570d95e42b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interface s\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interface s\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interface s\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interface s\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\xirdrvr (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp2 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kcopt.dll (Stolen.Data) -> Quarantined and deleted successfully.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,022 posts.
 
Join Date: Aug 2003
01-May-2009, 06:48 PM #9
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

JRE 6 Update 13

Instructions for Kaspersky scan:
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
timiuser's Avatar
timiuser timiuser is offline
Computer Specs
Member with 42 posts.
THREAD STARTER
 
Join Date: Apr 2009
Experience: Beginner
01-May-2009, 09:55 PM #10
log attached
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,022 posts.
 
Join Date: Aug 2003
02-May-2009, 03:38 PM #11
Please post a new HijackThis log.
timiuser's Avatar
timiuser timiuser is offline
Computer Specs
Member with 42 posts.
THREAD STARTER
 
Join Date: Apr 2009
Experience: Beginner
02-May-2009, 06:05 PM #12
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:04 PM, on 5/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [emMON] HCWemMON.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5938 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,022 posts.
 
Join Date: Aug 2003
02-May-2009, 06:12 PM #13
You will need to disable Ad-Aware's Ad-Watch before doing this or it will interfere.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =



Reboot and post a new HijackThis log.


Also, please do this:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.
timiuser's Avatar
timiuser timiuser is offline
Computer Specs
Member with 42 posts.
THREAD STARTER
 
Join Date: Apr 2009
Experience: Beginner
02-May-2009, 06:45 PM #14
Done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:35 PM, on 5/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [emMON] HCWemMON.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5654 bytes



Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
AOL Instant Messenger
Apple Software Update
BigFix
BitTornado 0.3.7
BounceBack Express
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
Conexant AC-Link Audio
Critical Update for Windows Media Player 11 (KB959772)
DivX Web Player
GTK+ Runtime 2.12.8 rev a (remove only)
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver for Mobile
iPod for Windows
iPod for Windows 2005-02-07
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iPod2PC 2.14
iTunes
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java(TM) 6 Update 12
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
JetBee FREE 4.0.7 (build 318)
JukeBox Database v3.02
JukeBox Database v3.02 (c:\Program Files\JukeBox Database\)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero BurnRights
Nero OEM
Netflix Movie Viewer
PowerDVD
PrimoPDF
QuickTime
Rhapsody Player Engine
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Soft Data Fax Modem with SmartCP
SoulSeek Client 156c
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
TBS WMP Plug-in
Texas Instruments PCIxx21/x515 drivers.
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Backup Utility
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB896626
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,022 posts.
 
Join Date: Aug 2003
02-May-2009, 07:01 PM #15
What happened to your anti-virus program? Did you uninstall it?

Go to Control Panel - Add/Remove programs and remove:

Viewpoint Media Player

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 13 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment, JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.


These are the older versions of Java that you need to uninstall:

Java 2 Runtime Environment, SE v1.4.1_02
Java(TM) 6 Update 12
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7



Reboot and post a new HijackThis log please.

Last edited by Cookiegal; 08-Nov-2009 at 04:53 PM..
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑