1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

"Trojan Horse, PassCapture and etc." Black Desktop. Help!

Discussion in 'Virus & Other Malware Removal' started by timiuser, Apr 27, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. timiuser

    timiuser Thread Starter

    Joined:
    Apr 26, 2009
    Messages:
    42
    I think I picked up a virus. I get constant pop ups in firefox and internet exlporer. My desktop has gone completely black and it says:

    "Warning: Dangerous Spyware. Following viruses were found on your computer: Trojan horse, Passcapture and etc. Your private information may be potentially transferred to third parties. Please, check computer using advanced software. Thanks."

    And when I try to open task manager it says that access has been denied by the administrator.

    Please help!


    Hijack This log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:35:56 PM, on 4/27/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\HCWemMON.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\frmwrk32.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
    C:\Documents and Settings\Owner\Application Data\pidle\pidle.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\3493314460.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O2 - BHO: C:\WINDOWS\system32\yhs783ijfo3fe.dll - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll
    O2 - BHO: (no name) - {c37f09a0-43f7-49a4-a265-4ce61a56458e} - C:\WINDOWS\system32\tuneyevi.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [emMON] HCWemMON.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [38a25a5a] rundll32.exe "C:\WINDOWS\system32\puwisuro.dll",b
    O4 - HKLM\..\Run: [CPM3b9169c6] Rundll32.exe "c:\windows\system32\jelukahu.dll",a
    O4 - HKLM\..\Run: [rolerofota] Rundll32.exe "C:\WINDOWS\system32\towoyila.dll",s
    O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
    O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\Owner\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
    O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\3493314460.exe
    O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\wkfbr.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\wkfbr.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\814786118.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\wkfbr.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BounceBack Launcher.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CCS\Services\Tcpip\..\{55297BFE-2DD2-45A8-868C-82BCA3D8369E}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B15B7F7A-B959-4BC2-B2C5-8718B30EFFDA}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE2D8502-8A59-491D-BF21-F804B6EC3BFF}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
    O17 - HKLM\System\CS4\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
    O17 - HKLM\System\CS5\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll c:\windows\system32\jelukahu.dll,C:\WINDOWS\system32\bibegipe.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jelukahu.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jelukahu.dll
    O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 10378 bytes
     

    Attached Files:

  2. timiuser

    timiuser Thread Starter

    Joined:
    Apr 26, 2009
    Messages:
    42
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,689
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

    Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

    Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
     
  4. timiuser

    timiuser Thread Starter

    Joined:
    Apr 26, 2009
    Messages:
    42
    Thanks very much, Cookiegal!

    So I followed the instructions and ran Combo-Fix. The only problem I encountered was that I couldn't quit an anti-virus program called AVG Anti-Virus Free. I tried to uninstall it but couldn't because Word kept opening on my computer. I tried to access task manager to quit it but it said that my task manager was locked by the administrator.

    Also, while Combo-Fix was running, it told me to note a few codes it came up with for "later" use. Here they are:

    c:\windows\system32\ovfsthbbquhxxkmwbvwosbcmutjlnouvydolwi.dat
    c:\windows\system32\ovfsthfsnqbhydhehqplypdevvossxsdyadyas.dat
    c:\windows\system32\ovfsthgcfybutqrmftjlnoptatemgodymgsymx.dll
    c:\windows\system32\ovfsthoktfqlixhdqgoifyhaknlcxqbpwisekh.dll
    c:\windows\system32\ovfsthxvmqewiaypyeseqtfxvysdosmwfpcbwr.dll


    And here are the Combo-Fix and the Hijack This logs, respectively:

    ComboFix 09-04-29.01 - Owner 04/29/2009 21:08.4 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.183 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Rabio
    c:\documents and settings\Owner\Application Data\twain\Twain.exe
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Cpvff.stt
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
    c:\documents and settings\Owner\protect.dll
    c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll
    c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk
    c:\windows\absolute key logger.lnk
    c:\windows\aconti.ini
    c:\windows\aconti.log
    c:\windows\aconti.sdb
    c:\windows\acontidialer.txt
    c:\windows\default.htm
    c:\windows\system32\__c0072EDE.dat
    c:\windows\system32\998.exe
    c:\windows\system32\acespy
    c:\windows\system32\acespy\__acelog.ndx
    c:\windows\system32\acespy\systune.exe
    c:\windows\system32\ahtn.htm
    c:\windows\system32\autochk.dll
    c:\windows\system32\bibegipe.dll
    c:\windows\system32\config\systemprofile\protect.dll
    c:\windows\system32\din.ip
    c:\windows\system32\drivers\ovfsthuxnshutamfxrontrjetmoryxtrvkixrv.sys
    c:\windows\system32\dumphive.exe
    c:\windows\system32\erukidaj.ini
    c:\windows\system32\frmwrk32.exe
    c:\windows\system32\higalepo.dll
    c:\windows\system32\inudukul.ini
    c:\windows\system32\jadikure.dll
    c:\windows\system32\jelukahu.dll
    c:\windows\system32\kihipapo.dll
    c:\windows\system32\ksvcl.dll
    c:\windows\system32\loader266.exe
    c:\windows\system32\loader49.exe
    c:\windows\system32\lukuduni.dll
    c:\windows\system32\mcrh.tmp
    c:\windows\system32\ntdll64.exe
    c:\windows\system32\okkprcvq.ini
    c:\windows\system32\omugakoy.ini
    c:\windows\system32\opelagih.ini
    c:\windows\system32\orusiwup.ini
    c:\windows\system32\ovfsthbbquhxxkmwbvwosbcmutjlnouvydolwi.dat
    c:\windows\system32\ovfsthfsnqbhydhehqplypdevvossxsdyadyas.dat
    c:\windows\system32\ovfsthgcfybutqrmftjlnoptatemgodymgsymx.dll
    c:\windows\system32\ovfsthoktfqlixhdqgoifyhaknlcxqbpwisekh.dll
    c:\windows\system32\ovfsthxvmqewiaypyeseqtfxvysdosmwfpcbwr.dll
    c:\windows\system32\p2hhr.bat
    c:\windows\system32\pagifali.dll
    c:\windows\system32\pohulomo.dll
    c:\windows\system32\prnet.tmp
    c:\windows\system32\Process.exe
    c:\windows\system32\SrchSTS.exe
    c:\windows\system32\sznf.ascii
    c:\windows\system32\tmp.reg
    c:\windows\system32\towoyila.dll
    c:\windows\system32\tuneyevi.dll
    c:\windows\system32\uniq.tll
    c:\windows\system32\VCCLSID.exe
    c:\windows\system32\warning.gif
    c:\windows\system32\winglsetup.exe
    c:\windows\system32\wopebulu.dll
    c:\windows\system32\WS2Fix.exe
    c:\windows\system32\yejedotu.exe
    c:\windows\system32\yhs783ijfo3fe.dll
    c:\windows\system32\zoyegetu.dll
    c:\windows\TEMP\132344256.exe
    c:\windows\TEMP\1427322688.exe
    c:\windows\TEMP\2518703504.exe
    c:\windows\TEMP\3892445992.exe
    c:\windows\TEMP\814786118.exe
    C:\xcrashdump.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_ovfsthrpdvjnswutewberafwkppkfmituwkymr


    ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
    .

    2009-04-30 00:40 . 2009-04-30 00:40 -------- d-----w C:\32788R22FWJFW
    2009-04-27 20:57 . 2009-04-28 17:38 -------- d-----w c:\documents and settings\Owner\Application Data\digifast
    2009-04-27 20:52 . 2009-04-30 01:09 -------- d-----w c:\documents and settings\Owner\Application Data\Twain
    2009-04-27 20:47 . 2009-04-27 20:47 -------- d-----w c:\program files\WWShow
    2009-04-27 20:42 . 2009-04-27 20:42 -------- d-----w c:\program files\Jcore
    2009-04-27 20:29 . 2009-04-30 00:18 27648 ----a-w c:\windows\system32\lmppcsetup.exe
    2009-04-27 20:07 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
    2009-04-27 18:26 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
    2009-04-27 18:26 . 2009-04-27 18:26 -------- dc----w c:\windows\system32\DRVSTORE
    2009-04-27 18:25 . 2009-04-27 18:25 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
    2009-04-27 18:24 . 2009-04-27 18:26 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
    2009-04-27 04:11 . 2009-04-27 17:40 -------- d--h--w C:\$AVG8.VAULT$
    2009-04-27 03:50 . 2009-04-27 03:50 10520 ----a-w c:\windows\system32\avgrsstx.dll
    2009-04-27 03:50 . 2009-04-27 03:50 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
    2009-04-27 03:50 . 2009-04-27 03:50 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
    2009-04-27 03:50 . 2009-04-27 03:50 -------- d-----w c:\windows\system32\drivers\Avg
    2009-04-27 03:50 . 2009-04-27 03:50 -------- d-----w c:\program files\AVG
    2009-04-27 03:50 . 2009-04-30 00:38 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
    2009-04-26 22:47 . 2009-04-26 22:47 -------- d-----w c:\program files\Trend Micro
    2009-04-26 20:36 . 2009-04-26 20:36 -------- d-----w c:\documents and settings\Owner\Application Data\pidle
    2009-04-11 22:23 . 2009-04-11 22:23 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    2009-03-31 18:22 . 2009-03-31 18:22 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Apple
    2009-03-31 18:20 . 2009-03-31 18:21 -------- d-----w c:\program files\Apple Software Update
    2009-03-31 18:20 . 2009-03-31 18:20 -------- d-----w c:\documents and settings\All Users\Application Data\Apple

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-04-28 17:25 . 2009-04-28 17:25 162 ---ha-w c:\windows\system32\~$prnet.tmp
    2009-04-27 20:07 . 2007-10-23 06:27 -------- d-----w c:\program files\Adsense Helper Object
    2009-04-27 18:24 . 2006-01-01 03:26 -------- d-----w c:\program files\Lavasoft
    2009-04-27 15:30 . 2007-10-23 04:51 -------- d-----w c:\program files\SUPERAntiSpyware
    2009-04-27 15:05 . 2009-01-27 15:05 52224 --sha-w c:\windows\system32\legidonu.exe
    2009-04-26 20:41 . 2009-01-26 20:41 52224 --sha-w c:\windows\system32\lilayeti.exe
    2009-03-31 18:25 . 2005-11-27 04:44 -------- d-----w c:\program files\QuickTime
    2009-03-31 04:26 . 2005-09-12 19:00 -------- d-----w c:\program files\Real
    2009-03-31 04:26 . 2005-09-12 19:00 -------- d-----w c:\program files\Common Files\Real
    2009-03-31 04:25 . 2005-09-12 18:49 -------- d--h--w c:\program files\InstallShield Installation Information
    2009-03-15 18:58 . 2008-08-13 15:36 -------- d-----w c:\program files\Microsoft Silverlight
    2009-02-16 04:42 . 2009-02-02 00:39 410984 ----a-w c:\windows\system32\deploytk.dll
    2009-02-01 18:29 . 2005-11-27 03:30 1896 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
    2009-04-27 20:59 . 2009-04-27 20:59 211968 ----a-w c:\program files\mozilla firefox\components\dfff.dll
    2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
    2009-01-26 20:36 . 2009-01-26 20:36 49152 --sha-w c:\windows\system32\guzuyavu.dll.tmp
    2009-01-26 20:36 . 2009-01-26 20:36 49152 --sha-w c:\windows\system32\heravole.dll.tmp
    2009-01-26 20:36 . 2009-01-26 20:36 49152 --sha-w c:\windows\system32\tigefeki.dll.tmp
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912]
    "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "pidle"="c:\documents and settings\Owner\Application Data\pidle\pidle.exe" [2009-04-26 56832]
    "DigiFast"="c:\documents and settings\Owner\Application Data\digifast\digifast.exe" [2009-04-27 225792]
    "H25k"="c:\documents and settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe" [2009-04-27 35840]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-05-13 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-05-13 126976]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-27 1932568]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
    "emMON"="HCWemMON.exe" - c:\windows\HCWemMON.exe [2006-05-31 61440]

    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    ChkDisk.dll [2009-4-29 24064]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Script execution time was exceeded on script "c:\combo-fix\lnkread.vbs".
    Script execution was terminated.

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2007-04-19 17:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-04-27 03:50 10520 ----a-w c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "c:\\Program Files\\BigFix\\BigFix.exe"=
    "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-27 325640]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-27 108552]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
    S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-27 908056]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-27 298264]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
    S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys [2004-02-23 14976]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - ALG
    *Deregistered* - AudioSrv
    *Deregistered* - avg8emc
    *Deregistered* - avg8wd
    *Deregistered* - BITS
    *Deregistered* - Browser
    *Deregistered* - CCALib8
    *Deregistered* - CryptSvc
    *Deregistered* - DcomLaunch
    *Deregistered* - Dhcp
    *Deregistered* - Dnscache
    *Deregistered* - ERSvc
    *Deregistered* - EventSystem
    *Deregistered* - FastUserSwitchingCompatibility
    *Deregistered* - helpsvc
    *Deregistered* - ImapiService
    *Deregistered* - iPodService
    *Deregistered* - JavaQuickStarterService
    *Deregistered* - lanmanserver
    *Deregistered* - lanmanworkstation
    *Deregistered* - Lavasoft Ad-Aware Service
    *Deregistered* - LmHosts
    *Deregistered* - Netman
    *Deregistered* - Nla
    *Deregistered* - PolicyAgent
    *Deregistered* - PrismXL
    *Deregistered* - ProtectedStorage
    *Deregistered* - RasMan
    *Deregistered* - RpcSs
    *Deregistered* - SamSs
    *Deregistered* - Schedule
    *Deregistered* - seclogon
    *Deregistered* - SENS
    *Deregistered* - SharedAccess
    *Deregistered* - ShellHWDetection
    *Deregistered* - Spooler
    *Deregistered* - srservice
    *Deregistered* - SSDPSRV
    *Deregistered* - stisvc
    *Deregistered* - TapiSrv
    *Deregistered* - TermService
    *Deregistered* - Themes
    *Deregistered* - TrkWks
    *Deregistered* - Viewpoint Manager Service
    *Deregistered* - W32Time
    *Deregistered* - WebClient
    *Deregistered* - winmgmt
    *Deregistered* - wscsvc
    *Deregistered* - wuauserv
    *Deregistered* - WZCSVC

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
    .
    Contents of the 'Scheduled Tasks' folder

    2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

    2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll
    BHO-{c37f09a0-43f7-49a4-a265-4ce61a56458e} - c:\windows\system32\tuneyevi.dll
    WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
    HKCU-Run-prnet - c:\windows\system32\prnet.tmp
    HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
    HKLM-Run-prnet - c:\windows\system32\prnet.tmp
    HKLM-Run-autochk - c:\windows\system32\autochk.dll
    HKU-Default-Run-Windows Resurections - c:\windows\TEMP\wkfbr.exe
    HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\2518703504.exe
    HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
    HKU-Default-Run-A00FE9D93.exe - c:\windows\TEMP\_A00FE9D93.exe
    SharedTaskScheduler-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll
    SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kihipapo.dll
    Notify-__c0072EDE - c:\windows\system32\__c0072EDE.dat


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gateway.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - component: c:\program files\Mozilla Firefox\components\dfff.dll
    FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\extensions\[email protected]\plugins\npTVUAx.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-04-29 21:15
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(812)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'explorer.exe'(600)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\AVG\AVG8\avgcsrvx.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\BigFix\BigFix.exe
    c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe
    c:\progra~1\AVG\AVG8\avgnsx.exe
    .
    **************************************************************************
    .
    Completion time: 2009-04-30 21:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-04-30 01:27

    Pre-Run: 7,752,544,256 bytes free
    Post-Run: 7,733,088,256 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
    335 --- E O F --- 2008-09-21 20:06




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:41:43 PM, on 4/29/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\HCWemMON.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Owner\Application Data\pidle\pidle.exe
    C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
    C:\Documents and Settings\Owner\Application Data\DigiFast\digifast.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [emMON] HCWemMON.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\Owner\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
    O4 - HKCU\..\Run: [DigiFast] C:\Documents and Settings\Owner\Application Data\digifast\digifast.exe
    O4 - HKCU\..\Run: [H25k] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BounceBack Launcher.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7712 bytes
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,689
    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    File::
    c:\windows\system32\lmppcsetup.exe
    c:\windows\system32\legidonu.exe
    c:\windows\system32\lilayeti.exe
    c:\program files\mozilla firefox\components\dfff.dll
    c:\program files\mozilla firefox\components\WWShow.dll
    c:\windows\system32\guzuyavu.dll.tmp
    c:\windows\system32\heravole.dll.tmp
    c:\windows\system32\tigefeki.dll.tmp
    c:\documents and settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
    
    Folder::
    c:\documents and settings\Owner\Application Data\digifast
    c:\documents and settings\Owner\Application Data\Twain
    c:\program files\WWShow
    c:\program files\Jcore
    c:\documents and settings\Owner\Application Data\pidle
    c:\program files\Adsense Helper Object
    
    DirLook::
    C:\32788R22FWJFW
    
    registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    pidle"=-
    "DigiFast"=- 
    "H25k"=-
     
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     
  6. timiuser

    timiuser Thread Starter

    Joined:
    Apr 26, 2009
    Messages:
    42
    Here they are:

    ComboFix 09-04-29.01 - Owner 04/30/2009 15:18.5 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.115 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    c:\documents and settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
    c:\program files\mozilla firefox\components\dfff.dll
    c:\program files\mozilla firefox\components\WWShow.dll
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
    c:\windows\system32\guzuyavu.dll.tmp
    c:\windows\system32\heravole.dll.tmp
    c:\windows\system32\legidonu.exe
    c:\windows\system32\lilayeti.exe
    c:\windows\system32\lmppcsetup.exe
    c:\windows\system32\tigefeki.dll.tmp
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Application Data\digifast
    c:\documents and settings\Owner\Application Data\digifast\config.cfg
    c:\documents and settings\Owner\Application Data\digifast\DFUninstall.exe
    c:\documents and settings\Owner\Application Data\digifast\digifast.exe
    c:\documents and settings\Owner\Application Data\Microsoft\Windows\fjsgwd.exe
    c:\documents and settings\Owner\Application Data\pidle
    c:\documents and settings\Owner\Application Data\pidle\pidle.exe
    c:\documents and settings\Owner\Application Data\Twain
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Cpvff.stt
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
    c:\program files\Adsense Helper Object
    c:\program files\Jcore
    c:\program files\Jcore\Jcore2.dll
    c:\program files\mozilla firefox\components\dfff.dll
    c:\program files\mozilla firefox\components\WWShow.dll
    c:\program files\WWShow
    c:\program files\WWShow\WWShow.dll
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
    c:\windows\system32\guzuyavu.dll.tmp
    c:\windows\system32\heravole.dll.tmp
    c:\windows\system32\legidonu.exe
    c:\windows\system32\lilayeti.exe
    c:\windows\system32\lmppcsetup.exe
    c:\windows\system32\tigefeki.dll.tmp

    .
    ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
    .

    2009-04-30 19:15 . 2009-04-30 19:15 -------- d-----w c:\windows\LastGood
    2009-04-27 20:07 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
    2009-04-27 18:26 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
    2009-04-27 18:26 . 2009-04-27 18:26 -------- dc----w c:\windows\system32\DRVSTORE
    2009-04-27 18:25 . 2009-04-27 18:25 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
    2009-04-27 18:24 . 2009-04-27 18:26 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
    2009-04-27 04:11 . 2009-04-27 17:40 -------- d--h--w C:\$AVG8.VAULT$
    2009-04-27 03:50 . 2009-04-30 01:47 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
    2009-04-26 22:47 . 2009-04-26 22:47 -------- d-----w c:\program files\Trend Micro
    2009-04-11 22:23 . 2009-04-11 22:23 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-04-28 17:25 . 2009-04-28 17:25 162 ---ha-w c:\windows\system32\~$prnet.tmp
    2009-04-27 18:24 . 2006-01-01 03:26 -------- d-----w c:\program files\Lavasoft
    2009-04-27 15:30 . 2007-10-23 04:51 -------- d-----w c:\program files\SUPERAntiSpyware
    2009-03-31 18:25 . 2005-11-27 04:44 -------- d-----w c:\program files\QuickTime
    2009-03-31 18:21 . 2009-03-31 18:20 -------- d-----w c:\program files\Apple Software Update
    2009-03-31 04:26 . 2005-09-12 19:00 -------- d-----w c:\program files\Real
    2009-03-31 04:26 . 2005-09-12 19:00 -------- d-----w c:\program files\Common Files\Real
    2009-03-31 04:25 . 2005-09-12 18:49 -------- d--h--w c:\program files\InstallShield Installation Information
    2009-03-15 18:58 . 2008-08-13 15:36 -------- d-----w c:\program files\Microsoft Silverlight
    2009-02-16 04:42 . 2009-02-02 00:39 410984 ----a-w c:\windows\system32\deploytk.dll
    2009-02-09 10:19 . 2004-08-26 16:12 1846272 ----a-w c:\windows\system32\win32k.sys
    2009-02-01 18:29 . 2005-11-27 03:30 1896 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ---- Directory of C:\32788R22FWJFW ----



    ((((((((((((((((((((((((((((( SnapShot@2009-04-30_01.16.01 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-09-30 20:45 . 2008-09-30 20:45 91656 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
    + 2009-04-30 19:13 . 2009-04-30 19:13 16384 c:\windows\TEMP\Perflib_Perfdata_2e0.dat
    + 2005-05-26 09:16 . 2008-10-16 18:09 43544 c:\windows\system32\wups2.dll
    + 2004-08-26 18:01 . 2008-10-16 18:08 34328 c:\windows\system32\wups.dll
    + 2004-08-26 18:01 . 2008-10-16 18:09 51224 c:\windows\system32\wuauclt.exe
    + 2005-09-12 19:11 . 2007-07-27 13:41 26488 c:\windows\system32\spupdsvc.exe
    - 2008-01-31 03:04 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
    + 2008-01-31 03:04 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
    + 2009-04-30 01:22 . 2008-10-16 18:09 43544 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
    + 2009-04-30 01:22 . 2008-10-16 18:08 34328 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
    + 2004-08-26 18:01 . 2008-10-16 18:08 34328 c:\windows\system32\dllcache\wups.dll
    + 2004-08-26 18:01 . 2008-10-16 18:09 51224 c:\windows\system32\dllcache\wuauclt.exe
    + 2004-08-26 16:11 . 2008-10-16 18:09 92696 c:\windows\system32\dllcache\cdm.dll
    + 2004-08-26 16:11 . 2008-10-16 18:09 92696 c:\windows\system32\cdm.dll
    + 2009-04-30 05:02 . 2009-04-30 05:02 32768 c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
    + 2005-09-12 19:10 . 2008-02-15 09:06 351744 c:\windows\system32\xpsp3res.dll
    + 2004-08-26 18:01 . 2008-10-16 18:13 202776 c:\windows\system32\wuweb.dll
    + 2004-08-26 18:01 . 2008-10-16 18:12 323608 c:\windows\system32\wucltui.dll
    + 2004-08-26 18:01 . 2008-10-16 18:12 561688 c:\windows\system32\wuapi.dll
    - 2004-08-26 16:12 . 2004-08-04 19:00 351232 c:\windows\system32\winhttp.dll
    + 2004-08-26 16:12 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll
    + 2004-08-26 16:12 . 2008-10-03 10:15 247326 c:\windows\system32\strmdll.dll
    + 2004-08-26 16:12 . 2008-10-15 16:57 332800 c:\windows\system32\netapi32.dll
    + 2004-08-26 16:11 . 2008-10-23 13:01 283648 c:\windows\system32\gdi32.dll
    + 2004-08-26 10:54 . 2009-04-30 19:13 151584 c:\windows\system32\FNTCACHE.DAT
    - 2004-08-26 10:54 . 2007-10-23 07:31 151584 c:\windows\system32\FNTCACHE.DAT
    + 2004-08-26 16:12 . 2008-12-11 11:57 333184 c:\windows\system32\drivers\srv.sys
    + 2004-08-26 16:12 . 2008-10-24 11:10 453632 c:\windows\system32\drivers\mrxsmb.sys
    + 2004-08-26 18:01 . 2008-10-16 18:13 202776 c:\windows\system32\dllcache\wuweb.dll
    + 2004-08-26 18:01 . 2008-10-16 18:12 323608 c:\windows\system32\dllcache\wucltui.dll
    + 2004-08-26 18:01 . 2008-10-16 18:12 561688 c:\windows\system32\dllcache\wuapi.dll
    + 2004-08-26 16:12 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll
    - 2004-08-26 16:12 . 2004-08-04 19:00 351232 c:\windows\system32\dllcache\winhttp.dll
    + 2004-08-26 16:12 . 2008-10-03 10:15 247326 c:\windows\system32\dllcache\strmdll.dll
    + 2004-08-26 16:12 . 2008-12-11 11:57 333184 c:\windows\system32\dllcache\srv.sys
    + 2004-08-26 16:12 . 2008-10-15 16:57 332800 c:\windows\system32\dllcache\netapi32.dll
    + 2006-05-05 09:41 . 2008-10-24 11:10 453632 c:\windows\system32\dllcache\mrxsmb.sys
    + 2004-08-26 16:11 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll
    + 2005-09-12 19:15 . 2008-10-24 11:10 453632 c:\windows\Driver Cache\i386\mrxsmb.sys
    + 2008-09-30 20:42 . 2008-09-30 20:42 1286152 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
    + 2004-08-26 18:01 . 2008-10-16 18:13 1809944 c:\windows\system32\wuaueng.dll
    + 2004-08-26 16:12 . 2008-07-03 13:03 8460800 c:\windows\system32\shell32.dll
    + 2008-09-30 20:43 . 2008-09-30 20:43 1286152 c:\windows\system32\msxml4.dll
    + 2004-08-26 16:12 . 2008-09-04 16:42 1106944 c:\windows\system32\msxml3.dll
    + 2004-08-26 18:01 . 2008-10-16 18:13 1809944 c:\windows\system32\dllcache\wuaueng.dll
    + 2004-08-26 16:12 . 2009-02-09 10:19 1846272 c:\windows\system32\dllcache\win32k.sys
    + 2004-08-26 16:12 . 2008-07-03 13:03 8460800 c:\windows\system32\dllcache\shell32.dll
    + 2004-08-26 16:12 . 2008-09-04 16:42 1106944 c:\windows\system32\dllcache\msxml3.dll
    + 2004-08-26 16:12 . 2008-11-11 22:34 10838016 c:\windows\system32\wmp.dll
    + 2004-08-26 16:12 . 2008-11-11 22:34 10838016 c:\windows\system32\dllcache\wmp.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912]
    "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-05-13 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-05-13 126976]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
    "emMON"="HCWemMON.exe" - c:\windows\HCWemMON.exe [2006-05-31 61440]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-9-12 1742384]
    BounceBack Launcher.lnk - c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe [2006-2-6 98304]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2007-04-19 17:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\BigFix\\BigFix.exe"=
    "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
    S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys [2004-02-23 14976]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
    .
    Contents of the 'Scheduled Tasks' folder

    2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

    2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-pidle - c:\documents and settings\Owner\Application Data\pidle\pidle.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gateway.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\extensions\[email protected]\plugins\npTVUAx.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tf2sznso.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-04-30 15:21
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(776)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    Completion time: 2009-04-30 15:23
    ComboFix-quarantined-files.txt 2009-04-30 19:22
    ComboFix2.txt 2009-04-30 01:29

    Pre-Run: 7,317,864,448 bytes free
    Post-Run: 7,319,453,696 bytes free

    Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
    228 --- E O F --- 2009-04-30 05:04




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:25:32 PM, on 4/30/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\HCWemMON.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [emMON] HCWemMON.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BounceBack Launcher.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1919EF7C-F248-4E2E-9280-B58C21C063CC}: NameServer = 85.255.113.205,85.255.112.66
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 6354 bytes
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,689
    Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
     
  8. timiuser

    timiuser Thread Starter

    Joined:
    Apr 26, 2009
    Messages:
    42
    Here's the report:

    Malwarebytes' Anti-Malware 1.36
    Database version: 2066
    Windows 5.1.2600 Service Pack 2

    5/1/2009 4:15:23 PM
    mbam-log-2009-05-01 (16-15-23).txt

    Scan type: Quick Scan
    Objects scanned: 94651
    Time elapsed: 8 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 16
    Registry Values Infected: 1
    Registry Data Items Infected: 22
    Folders Infected: 2
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\silent.coolbho (Adware.Rabio) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\silent.coolbho.1 (Adware.Rabio) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{3be18056-e742-4777-a09f-426bf38dc235} (Adware.Rabio) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{c1b0024f-d9db-4653-bca0-0cb670428f6a} (Adware.Rabio) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{57a8860b-6d4a-4b77-a485-303f0abb920c} (Adware.Rabio) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\MsSC2 (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Cool (Adware.Webbuying) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Cool (Adware.Webbuying) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Cool (Adware.Webbuying) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\Silent.DLL (Adware.Webbuying) -> Quarantined and deleted successfully.
    KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1919ef7c-f248-4e2e-9280-b58c21c063cc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{55297bfe-2dd2-45a8-868c-82bca3d8369e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{955bff23-dcb0-49a8-8d84-4f570d95e42b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1919ef7c-f248-4e2e-9280-b58c21c063cc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{55297bfe-2dd2-45a8-868c-82bca3d8369e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{955bff23-dcb0-49a8-8d84-4f570d95e42b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{1919ef7c-f248-4e2e-9280-b58c21c063cc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{55297bfe-2dd2-45a8-868c-82bca3d8369e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{955bff23-dcb0-49a8-8d84-4f570d95e42b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b15b7f7a-b959-4bc2-b2c5-8718b30effda}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ce2d8502-8a59-491d-bf21-f804b6ec3bff}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.205,85.255.112.66 -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\system32\xirdrvr (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\temp2 (Trojan.Downloader) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\kcopt.dll (Stolen.Data) -> Quarantined and deleted successfully.
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,689
    Please do an online scan with Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

    JRE 6 Update 13

    Instructions for Kaspersky scan:

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.
     
  10. timiuser

    timiuser Thread Starter

    Joined:
    Apr 26, 2009
    Messages:
    42
    log attached
     

    Attached Files:

  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,689
    Please post a new HijackThis log.
     
  12. timiuser

    timiuser Thread Starter

    Joined:
    Apr 26, 2009
    Messages:
    42
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:04:04 PM, on 5/2/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\HCWemMON.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [emMON] HCWemMON.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BounceBack Launcher.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 5938 bytes
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,689
    You will need to disable Ad-Aware's Ad-Watch before doing this or it will interfere.

    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =



    Reboot and post a new HijackThis log.


    Also, please do this:

    Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.
     
  14. timiuser

    timiuser Thread Starter

    Joined:
    Apr 26, 2009
    Messages:
    42
    Done!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:43:35 PM, on 5/2/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\HCWemMON.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [emMON] HCWemMON.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BounceBack Launcher.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 5654 bytes



    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0
    AOL Instant Messenger
    Apple Software Update
    BigFix
    BitTornado 0.3.7
    BounceBack Express
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window DSLR 5 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities PhotoStitch 3.1
    Canon ZoomBrowser EX (E)
    Conexant AC-Link Audio
    Critical Update for Windows Media Player 11 (KB959772)
    DivX Web Player
    GTK+ Runtime 2.12.8 rev a (remove only)
    HijackThis 2.0.2
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Intel(R) Graphics Media Accelerator Driver for Mobile
    iPod for Windows
    iPod for Windows 2005-02-07
    iPod for Windows 2005-10-12
    iPod for Windows 2006-01-10
    iPod2PC 2.14
    iTunes
    Java 2 Runtime Environment, SE v1.4.1_02
    Java Web Start
    Java(TM) 6 Update 12
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    JetBee FREE 4.0.7 (build 318)
    JukeBox Database v3.02
    JukeBox Database v3.02 (c:\Program Files\JukeBox Database\)
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Digital Image Starter Edition 2006
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Mozilla Firefox (3.0.10)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    Nero BurnRights
    Nero OEM
    Netflix Movie Viewer
    PowerDVD
    PrimoPDF
    QuickTime
    Rhapsody Player Engine
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961373)
    Soft Data Fax Modem with SmartCP
    SoulSeek Client 156c
    SUPERAntiSpyware Free Edition
    Synaptics Pointing Device Driver
    TBS WMP Plug-in
    Texas Instruments PCIxx21/x515 drivers.
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    VideoLAN VLC media player 0.8.5
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Windows Backup Utility
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB896626
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,689
    What happened to your anti-virus program? Did you uninstall it? :confused:

    Go to Control Panel - Add/Remove programs and remove:

    Viewpoint Media Player

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

    Upgrading Java:

    • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 13 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment, JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.


    These are the older versions of Java that you need to uninstall:

    Java 2 Runtime Environment, SE v1.4.1_02
    Java(TM) 6 Update 12
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7



    Reboot and post a new HijackThis log please.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/822285