Spware, Adware, Virus...PLEASE HELP!

itrocks4u · Nov 8, 2007

I know for sure my computer is messed up. As usual, my IE homepage is hacked, I get a number of random popups continously. NO activity and I'm still getting 20 popups. And worst of all, there is this yellow triangle with exclamation mark which keeps on blinking and telling me about a number of popups I have. I've attached my HJT log file. please help.
I'll really appreciate it...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:00 AM, on 08/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\WINDOWS\System32\ainmuqdw.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\3M\PSNLite\PsnLite.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\PROGRA~1\3M\PSNLite\PSNGive.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe
D:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\System32\rhpmylmb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - D:\WINDOWS\System32\ainmuqdw.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoogleDesktopManager - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7757 bytes

itrocks4u · Nov 8, 2007

when will I get a reply?

Cookiegal · Nov 10, 2007

You are dealing with several infections here and it has probably eaten your anti-virus program since it's not working properly.

I wonder why you never installed SP2? This is one reason your computer was wide open for exploits. Do NOT install it now as doing so on an infected computer will cause serious problems. But do so after the cleanup is complete.

Download ComboFix and save it to your desktop.

**Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall**

itrocks4u · Nov 11, 2007

Hey, Thank you SO much for you reply. You have no idea how long I've been waiting for it. I'm glad I finally recieved it! Ok so while I was waiting for your reply, I did run a number of things on the computer, including spybot, countersky, Bitdefender online scanner. I tried running Pandaactive scanner after that but it did not work.

I did as you said. I've attached the Combofix log and posted the HJT log. Even though I ran a number of programs, I'm still getting a lot of popups. To be more specfic, there is still a security toolbar, and a few icons on desktop including Live Saftey centre and online security guide. In addition to all that, there is still the yellow triangle with exclamation mark in my system tray which keeps on blinking and giving these notifications that I have almost all the trojan and viruses on my computer.

Anyways, please do let me know wats next.

itrocks4u · Nov 11, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:03 AM, on 11/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\3M\PSNLite\PsnLite.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\PROGRA~1\3M\PSNLite\PSNGive.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: {9f912eeb-a7b4-10bb-1f64-c5a4ace1b410} - {014b1eca-4a5c-46f1-bb01-4b7abee219f9} - D:\WINDOWS\System32\psegthts.dll
O2 - BHO: (no name) - {183807B8-BC07-48A2-8DAD-ABC96FA6C7A8} - D:\WINDOWS\system32\yayaaya.dll (file missing)
O2 - BHO: SysApp - {4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D} - D:\Program Files\ApplePie\ie-improver.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\rhpmylmb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\rhpmylmb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [b88fa9cc] rundll32.exe "D:\WINDOWS\System32\dbuwusdp.dll",b
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
O20 - Winlogon Notify: rhpmylmb - D:\WINDOWS\SYSTEM32\rhpmylmb.dll
O20 - Winlogon Notify: yayaaya - yayaaya.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8765 bytes

Cookiegal · Nov 11, 2007

Open Notepad and copy and paste the text in the quote box below into it:

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

File::
D:\WINDOWS\system32\psegthts.dll
D:\WINDOWS\system32\dbuwusdp.dll
D:\WINDOWS\system32\nyadgmmc.exe
D:\WINDOWS\system32\vrbrwfla.dll
D:\WINDOWS\system32\futgidlx.dll
D:\WINDOWS\system32\wvsuitjv.dll
D:\WINDOWS\system32\rhpmylmb.dll
D:\WINDOWS\system32\avoiyjhg.dll
D:\WINDOWS\system32\yayaaya.dll

Folder::
D:\Program Files\ApplePie

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{014b1eca-4a5c-46f1-bb01-4b7abee219f9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{183807B8-BC07-48A2-8DAD-ABC96FA6C7A8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b88fa9cc"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{183807B8-BC07-48A2-8DAD-ABC96FA6C7A8}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rhpmylmb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaaya]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

itrocks4u · Nov 12, 2007

Did as you said...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:34 AM, on 12/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\3M\PSNLite\PsnLite.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\PROGRA~1\3M\PSNLite\PSNGive.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\rhpmylmb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\rhpmylmb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
O20 - Winlogon Notify: rhpmylmb - D:\WINDOWS\SYSTEM32\rhpmylmb.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8252 bytes

Cookiegal · Nov 12, 2007

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

In the Processes group click ALL

In the Win32 Services group click ALL

In the Driver Services group click ALL

In the Registry group click ALL

In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED

In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED

In the File String Search group click SELECT ALL

in the Additional Scans sections please press select ALL

Now click the Run Scan button on the toolbar.

The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.

When the scan is complete Notepad will open with the report file loaded in it.

Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.

Please post the resulting log here as an attachment.

Cookiegal · Nov 12, 2007

Then let's address the other infection before doing a WinpFind3u log.

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups and then restore them.

Download FindAWF.exe from here or here and save it to your desktop.

Double-click on the FindAWF.exe file to run it.

It will open a command prompt and ask you to "Press any key to continue".

You will be presented with the following Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT

Select option 1, then press Enter

It may take a few minutes to complete so be patient.

When it is complete, it will open a text file in Notepad called AWF.txt.

Please copy and paste the contents of the AWF.txt file in your next reply.

itrocks4u · Nov 12, 2007

Ok I'm about to run the scan. But I dont get it, the exclamation mark and the popups are still there. Its just impossible to work on this computer!! How do i get rid of those??

itrocks4u · Nov 12, 2007

I dont know if this is wat you wanted...

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 12/11/2007
The current time is: 22:07:35.35

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

itrocks4u · Nov 12, 2007

new HJT and the requested file attached... I compressed the other file to .rar cause it exceeded the max limit of 500 KB

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:32 PM, on 12/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\3M\PSNLite\PsnLite.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\PROGRA~1\3M\PSNLite\PSNGive.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\msiexec.exe
D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\rhpmylmb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\rhpmylmb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
O20 - Winlogon Notify: rhpmylmb - D:\WINDOWS\SYSTEM32\rhpmylmb.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8142 bytes

Cookiegal · Nov 13, 2007

Disconnect from the Internet and disable your anti-virus and firewall programs. Be sure to remember to re-start them before going on-line again.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.

Code:

[Kill Explorer]
[Unregister Dlls]
[Registry - All]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> rhpmylmb -> %System32%\rhpmylmb.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {A95B2816-1D7E-4561-A202-68C0DE02353A} [HKLM] -> %System32%\rhpmylmb.dll [Reg Data - Value does not exist]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> {11A69AE4-FBED-4832-A2BF-45AF82825583} [HKLM] -> %System32%\rhpmylmb.dll [Security Toolbar]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\{11A69AE4-FBED-4832-A2BF-45AF82825583} [HKLM] -> %System32%\rhpmylmb.dll [Security Toolbar]
[Files/Folders - Created Within 60 days]
NY -> grbminsu.ini -> %System32%\grbminsu.ini
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> pdsuwubd.ini -> %System32%\pdsuwubd.ini
NY -> qbipmkok.ini -> %System32%\qbipmkok.ini
NY -> rhpmylmb.dll -> %System32%\rhpmylmb.dll
NY -> rhpmylmb.dllbox -> %System32%\rhpmylmb.dllbox
NY -> vjtiusvw.ini -> %System32%\vjtiusvw.ini
NY -> Live Safety Center.lnk -> %UserDesktop%\Live Safety Center.lnk
NY -> Online Security Guide.lnk -> %UserDesktop%\Online Security Guide.lnk
[Files/Folders - Modified Within 30 days]
NY -> grbminsu.ini -> %System32%\grbminsu.ini
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> pdsuwubd.ini -> %System32%\pdsuwubd.ini
NY -> rhpmylmb.dll -> %System32%\rhpmylmb.dll
NY -> rhpmylmb.dllbox -> %System32%\rhpmylmb.dllbox
NY -> vjtiusvw.ini -> %System32%\vjtiusvw.ini
NY -> Live Safety Center.lnk -> %UserDesktop%\Live Safety Center.lnk
NY -> Online Security Guide.lnk -> %UserDesktop%\Online Security Guide.lnk
[Empty Temp Folders]
[Start Explorer]
[Reboot]

Also, after you've done the above, please run ComboFix again and post that log.

itrocks4u · Nov 13, 2007

Explorer killed successfully
[Registry - All]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rhpmylmb deleted successfully.
D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A} deleted successfully.
D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{11A69AE4-FBED-4832-A2BF-45AF82825583} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583} deleted successfully.
D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{11A69AE4-FBED-4832-A2BF-45AF82825583} deleted successfully.
D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
[Files/Folders - Created Within 60 days]
D:\WINDOWS\SYSTEM32\grbminsu.ini moved successfully.
D:\WINDOWS\SYSTEM32\mcrh.tmp moved successfully.
D:\WINDOWS\SYSTEM32\pdsuwubd.ini moved successfully.
D:\WINDOWS\SYSTEM32\qbipmkok.ini moved successfully.
D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
D:\WINDOWS\SYSTEM32\rhpmylmb.dllbox moved successfully.
D:\WINDOWS\SYSTEM32\vjtiusvw.ini moved successfully.
D:\Documents and Settings\Ours\Desktop\Live Safety Center.lnk moved successfully.
D:\Documents and Settings\Ours\Desktop\Online Security Guide.lnk moved successfully.
[Files/Folders - Modified Within 30 days]
File D:\WINDOWS\SYSTEM32\grbminsu.ini not found!
File D:\WINDOWS\SYSTEM32\mcrh.tmp not found!
File D:\WINDOWS\SYSTEM32\pdsuwubd.ini not found!
D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
File D:\WINDOWS\SYSTEM32\rhpmylmb.dllbox not found!
File D:\WINDOWS\SYSTEM32\vjtiusvw.ini not found!
File D:\Documents and Settings\Ours\Desktop\Live Safety Center.lnk not found!
File D:\Documents and Settings\Ours\Desktop\Online Security Guide.lnk not found!
[Empty Temp Folders]
D:\DOCUME~1\Ours\LOCALS~1\Temp\ -> emptied.
D:\Documents and Settings\Ours\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 11/13/2007 11:13:52

---------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:31 AM, on 13/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\3M\PSNLite\PsnLite.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\PROGRA~1\3M\PSNLite\PSNGive.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\msiexec.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
O20 - Winlogon Notify: rhpmylmb - rhpmylmb.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8108 bytes

itrocks4u · Nov 13, 2007

ComboFix 07-11-08.3 - Ours 2007-11-13 11:25:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.179 [GMT -5:00]
Running from: D:\Documents and Settings\Ours\Desktop\Spyware\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
D:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
D:\Documents and Settings\Ours\Favorites\Online Security Guide.lnk

.
((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-11 04:47 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-11-11 04:38 11,254 --a------ D:\WINDOWS\system32\locate.com
2007-11-10 20:14 <DIR> d---s---- D:\Documents and Settings\Administrator\UserData
2007-11-10 12:33 5,200,228 --a------ D:\WINDOWS\system32\SBSP.dat
2007-11-10 03:43 438 --a------ D:\WINDOWS\system32\SBFC.dat
2007-11-10 03:42 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-11-10 02:55 <DIR> d-------- D:\Documents and Settings\Ours\Application Data\Sunbelt Software
2007-11-10 02:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-10 02:54 <DIR> d-------- D:\Program Files\Sunbelt Software
2007-11-10 02:51 <DIR> d-------- D:\Spyware
2007-11-10 02:11 <DIR> d-------- D:\WINDOWS\pss
2007-10-25 10:26 53,248 --a------ D:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 16:15 --------- d-----w D:\Program Files\Symantec AntiVirus
2007-11-11 05:45 --------- d-----w D:\Program Files\Common Files\Autodesk Shared
2007-11-11 05:42 --------- d-----w D:\Program Files\Athan
2007-11-11 05:02 --------- d-----w D:\Program Files\MSN Messenger
2007-11-11 05:02 --------- d-----w D:\Program Files\Lexmark 2200 Series
2007-11-11 05:02 --------- d-----w D:\Program Files\Google
2007-11-11 05:02 --------- d-----w D:\Program Files\ewido anti-malware
2007-11-11 04:14 --------- d-----w D:\Program Files\Picasa2
2007-11-11 04:14 --------- d-----w D:\Program Files\Lexmark Fax Solutions
2007-11-11 04:14 --------- d-----w D:\Program Files\IMT Labs Messenger Plugin
2007-11-10 08:20 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 04:49 48,846 ----a-w D:\Documents and Settings\Ours\Application Data\wklnhst.dat
2007-11-06 07:55 --------- d-----w D:\Documents and Settings\Ours\Application Data\LimeWire
2007-11-02 20:00 --------- d-----w D:\Program Files\Norton Security Scan
2007-10-07 04:19 737,280 ----a-w D:\WINDOWS\iun6002.exe
2007-10-04 02:57 --------- d-----w D:\Program Files\QuickTime
2007-09-28 19:05 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2007-08-27 16:26 27,120 ----a-w D:\WINDOWS\system32\SBBD.exe
2006-05-20 22:41 840 ----a-w D:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2005-01-07 21:21 284 ----a-w D:\Documents and Settings\Ours\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((( [email protected]_ 4.59.49.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-11 05:01:52 16,384 ----a-w D:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-13 16:15:05 16,384 ----a-w D:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-11 05:01:52 32,768 ----a-w D:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-13 16:15:05 32,768 ----a-w D:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-13 16:15:05 32,768 ----a-w D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-28 21:03:38 52,968 ----a-w D:\WINDOWS\system32\perfc009.dat
+ 2007-11-11 10:02:52 52,968 ----a-w D:\WINDOWS\system32\perfc009.dat
- 2007-10-28 21:03:38 380,680 ----a-w D:\WINDOWS\system32\perfh009.dat
+ 2007-11-11 10:02:52 380,680 ----a-w D:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 585,728 2003-05-30 16:42:22 D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe

----a-w 790,528 2003-05-29 23:28:32 D:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe

----a-w 937,984 2005-09-12 00:02:32 D:\Program Files\Athan\bak\Athan.exe
----a-w 1,003,520 2007-09-06 18:25:02 D:\Program Files\Athan\Athan.exe

----a-w 344,064 2004-12-01 02:10:00 D:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 50,688 2003-06-07 11:32:32 D:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

----a-w 820,736 2005-09-06 19:45:24 D:\Program Files\Common Files\PCSuite\DataLayer\bak\DataLayer.exe

----a-w 102,400 2004-12-02 23:23:34 D:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe

----a-w 32,768 2004-11-03 00:24:46 D:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

----a-w 81,920 2005-01-26 21:57:49 D:\Program Files\IMT Labs Messenger Plugin\bak\Cloud.exe

----a-w 36,975 2005-11-10 17:03:52 D:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 57,344 2004-02-13 13:08:00 D:\Program Files\Lexmark 2200 Series\bak\lxbvbmgr.exe

----a-w 294,912 2004-02-04 19:33:20 D:\Program Files\Lexmark Fax Solutions\bak\fm3032.exe

----a-w 176,128 2005-06-29 20:29:26 D:\Program Files\Nokia\Nokia PC Suite 6\bak\LaunchApplication.exe

----a-w 135,168 2005-02-04 23:32:51 D:\Program Files\Picasa2\bak\PicasaMediaDetector.exe

----a-w 98,304 2004-12-14 03:23:23 D:\Program Files\QuickTime\bak\qttask.exe
----a-w 27,660 2007-10-04 02:54:44 D:\Program Files\QuickTime\qttask.exe

----a-w 81,920 2005-01-25 00:58:02 D:\Program Files\Sony\SonicStage\bak\SsAAD.exe

----a-w 124,232 2004-08-03 00:36:40 D:\Program Files\Symantec AntiVirus\bak\VPTray.exe

----a-w 3,084,288 2005-08-19 23:34:02 D:\Program Files\Yahoo!\Messenger\bak\ypager.exe

----a-w 155,648 2001-07-09 15:50:42 D:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" []
"SoundMAX"="D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" [2003-05-30 11:42]
"ATIPTA"="D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"Lexmark 2200 Series"="D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" []
"FaxCenterServer"="D:\Program Files\Lexmark Fax Solutions\fm3032.exe" []
"Microsoft Works Update Detection"="D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" []
"QuickTime Task"="D:\Program Files\QuickTime\bak\qttask.exe" [2004-12-13 22:23]
"CloudPlugin"="D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe" []
"vptray"="D:\PROGRA~1\SYMANT~1\VPTray.exe" []
"Picasa Media Detector"="D:\Program Files\Picasa2\PicasaMediaDetector.exe" []
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" []
"DataLayer"="D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" []
"PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" []
"SsAAD.exe"="D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" []
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" []
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"Athan"="D:\Program Files\Athan\Athan.exe" [2007-09-06 13:25]
"SBCSTray"="D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\ypager.exe" []
"msnmsgr"="D:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" []

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
Post-itr Software Notes Lite.lnk - D:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 13:26:54]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [2005-03-11 17:09:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rhpmylmb]
rhpmylmb.dll

R1 cdrbsvsd;cdrbsvsd;D:\WINDOWS\System32\drivers\cdrbsvsd.sys
R2 eusk2par;EUTRON SmartKey Parallel Driver;\??\D:\WINDOWS\System32\Drivers\eusk2par.sys
R2 Vcs;Vcs support;\??\D:\WINDOWS\System32\Drivers\Vcs.sys
S3 JL2005;JL2005A Toy Camera;D:\WINDOWS\System32\Drivers\toywdm.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);D:\WINDOWS\System32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;D:\WINDOWS\System32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;D:\WINDOWS\System32\DRIVERS\ss_mdm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 05:09:14 D:\WINDOWS\Tasks\Norton Security Scan.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 11:29:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-13 11:31:01
D:\ComboFix2.txt ... 2007-11-11 23:52
D:\ComboFix3.txt ... 2007-11-11 05:04
.
--- E O F ---

Log in or Sign up

Spware, Adware, Virus...PLEASE HELP!

itrocks4u Thread Starter

itrocks4u Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

itrocks4u Thread Starter

Attached Files:

ComboFix.txt

itrocks4u Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

itrocks4u Thread Starter

Attached Files:

combotext.txt

Cookiegal Administrator Malware Specialist Coordinator

Cookiegal Administrator Malware Specialist Coordinator

itrocks4u Thread Starter

itrocks4u Thread Starter

itrocks4u Thread Starter

Attached Files:

WinPFind3.rar

Cookiegal Administrator Malware Specialist Coordinator

itrocks4u Thread Starter

itrocks4u Thread Starter

Sponsor

Welcome to Tech Support Guy!

In Progress I have Adware on my computer how do I remove it?

In Progress Adware (possibly) on Android phone

In Progress Adware Adware:JS/InjectorAd.A

In Progress Google adware

Log in or Sign up

Spware, Adware, Virus...PLEASE HELP!

itrocks4u Thread Starter

itrocks4u Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

itrocks4u Thread Starter

Attached Files:

ComboFix.txt

itrocks4u Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

itrocks4u Thread Starter

Attached Files:

combotext.txt

Cookiegal Administrator Malware Specialist Coordinator

Cookiegal Administrator Malware Specialist Coordinator

itrocks4u Thread Starter

itrocks4u Thread Starter

itrocks4u Thread Starter

Attached Files:

WinPFind3.rar

Cookiegal Administrator Malware Specialist Coordinator

itrocks4u Thread Starter

itrocks4u Thread Starter

Sponsor

Welcome to Tech Support Guy!

In Progress I have Adware on my computer how do I remove it?

In Progress Adware (possibly) on Android phone

In Progress Adware Adware:JS/InjectorAd.A

In Progress Google adware

Useful Searches