15 replies to this topic

[Heavus]

Here is my HiJackThis scan. No Malwarebytes, will not run in safe mode or normal even renamed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:55 PM, on 2/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Mark\Application Data\U3\43236116A24100A6\285E6953-BF3C-4445-9376-3FE5D7F645B2\Exec\bin\SignupShield.exe
C:\Documents and Settings\Mark\Application Data\U3\43236116A24100A6\LaunchPad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mark\Desktop\Mark.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\is-I6FDB.tmp\Mark.tmp
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286a644bb2b950...ip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201991127919
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9043 bytes





This may be from the following web site and the following program. Not sure, first time I have seen this, please post your comments. Program: MightyRegistry_Setup.exe

Domain name: updates-easy.com

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (kxktfvrv@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O updates-easy.com
Bellevue, WA 98007
US

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (kxktfvrv@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O updates-easy.com
Bellevue, WA 98007
US

[Heavus]

Here is the Combfix. I was able to run after reloading the msvbvm60.dll in c:\windows\system32 per the instruction from Rubber Ducky in a old post.

ComboFix 09-02-08.02 - Mark 2009-02-09 22:09:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.268 [GMT -8:00]
Running from: c:\documents and settings\Mark\Desktop\aaaads.exe
Command switches used :: c:\documents and settings\Mark\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Internet Explorer.lnk
c:\program files\Dynamic Toolbar
c:\program files\Dynamic Toolbar\REALBAR\Cache\bubble.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\bubble16.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\celebs.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\gotb.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\highlight.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\hotstuff.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\hotstuffsm.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\movies.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\music.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\news.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\ngames.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\radio.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\REALBARTB0115.cfg
c:\program files\Dynamic Toolbar\REALBAR\Cache\REALBARTB1115.cfg
c:\program files\Dynamic Toolbar\REALBAR\Cache\sports.bmp
c:\program files\newdotnet
c:\program files\newdotnet\readme.txt
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
c:\windows\system32\digeste.dll
c:\windows\system32\drivers\TDSSmhxt.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\wpv671233854729.cpx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-09 21:52 . 2004-08-04 00:56 1,392,671 --a------ c:\windows\system32\msvbvm60.dll
2009-02-09 21:46 . 2009-02-09 21:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-02-09 21:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 21:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-09 21:31 . 2009-02-09 21:32 <DIR> d-------- c:\documents and settings\Mark\Application Data\U3
2009-02-09 21:31 . 2009-02-09 21:31 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-09 21:31 . 2009-02-09 21:31 1,409 --a------ c:\windows\QTFont.for
2009-02-09 20:20 . 2009-02-09 20:20 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-02-09 20:07 . 2009-01-18 13:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d-------- c:\program files\Trend Micro
2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d--h-c--- c:\documents and settings\All Users.WINDOWS\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-09 19:46 . 2009-01-18 13:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-09 19:45 . 2009-02-09 19:45 <DIR> d-------- c:\program files\Lavasoft
2009-02-09 19:45 . 2009-02-09 19:45 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-02-09 16:49 . 2009-02-09 21:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\PrivacIE
2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IETldCache
2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IECompatCache
2009-02-09 16:44 . 2009-02-09 16:44 <DIR> d-------- c:\windows\ie8updates
2009-02-09 16:43 . 2009-02-09 16:43 1,355 --a------ c:\windows\imsins.BAK
2009-02-09 16:42 . 2009-02-09 16:43 <DIR> d--h-c--- c:\windows\ie8
2009-02-09 16:40 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-02-09 16:30 . 2009-02-09 16:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-09 16:30 . 2009-02-09 16:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-09 16:05 . 2009-02-09 16:22 <DIR> d-------- c:\program files\Yahoo!
2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\program files\CCleaner
2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\documents and settings\Mark\Application Data\Yahoo!
2009-02-09 15:14 . 2009-02-09 16:47 <DIR> d-------- c:\documents and settings\Mark
2009-02-09 15:00 . 2009-02-09 15:00 <DIR> d-------- c:\documents and settings\Administrator
2009-02-07 15:39 . 2009-02-07 15:39 362,504 --a------ c:\windows\sysguard.exe
2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui
2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 06:08 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-09 23:56 --------- d-----w c:\program files\Google
2009-02-09 23:55 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-02-09 23:54 --------- d-----w c:\program files\Symantec
2009-02-09 23:52 --------- d-----w c:\program files\Norton Internet Security
2009-02-09 23:09 --------- d-----w c:\program files\Common Files\Adobe
2009-01-30 03:49 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-07-01 16:51 47,936 ----a-w c:\documents and settings\James.SIGLOXXI\Application Data\GDIPFONTCACHEV1.DAT
2007-08-29 02:19 60,968 -c--a-w c:\documents and settings\James.SIGLOXXI\GoToAssistDownloadHelper.exe
2004-06-23 06:25 2,592,044 -c----w c:\documents and settings\GameSpot DLX Secure Delivery\trillian-v0.74f.exe
2007-03-02 23:05 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-03-02 23:05 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-13 771704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-26 389120]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=c:\windows\pss\Norton GoBack.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Trillian.lnk]
path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Trillian.lnk
backup=c:\windows\pss\Trillian.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-09 21:59 115816 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
--a--c--- 2006-10-30 15:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-03-24 09:04 3309568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2004-03-24 09:04 46080 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-11 15:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a--c--- 2004-11-10 20:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2004-03-24 09:04 782336 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-09 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-24 109616]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c960721-f6ff-11dd-9bce-0002e315c848}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll
MSConfigStartUp-bnmpntwd - c:\windows\System32\bnmpntwd.exe
MSConfigStartUp-dbmsrpcn - c:\windows\System32\dbmsrpcn.exe
MSConfigStartUp-kdx - c:\windows\kdx\KHost.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.EXE
MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll
MSConfigStartUp-winpack - c:\windows\System32\winpack.exe
MSConfigStartUp-xflogt - c:\windows\System32\xflogt.exe


.
------- Supplementary Scan -------
.
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/286a644bb2b950c03e06/netzip/RdxIE601.cab
.
.
------- File Associations -------
.
inffile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 22:13:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1177238915-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-02-09 22:16:05
ComboFix-quarantined-files.txt 2009-02-10 06:16:02

Pre-Run: 11,081,216,000 bytes free
Post-Run: 12,938,657,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

261 --- E O F --- 2009-01-30 03:49:50

[Heavus]

Malware log

Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 2

2/9/2009 10:52:59 PM
mbam-log-2009-02-09 (22-52-59).txt

Scan type: Quick Scan
Objects scanned: 69399
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[Heavus]

New HIJACK THis Scan


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:26 PM, on 2/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286a644bb2b950...ip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201991127919
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8376 bytes

[Heavus]

Ststem now operating and able to access sites I was not able to get ot before. especially Malwarebytes.org and other security site that were shut down.

Have some more clean up to do but I thought I would share this information.

Thanks.

Heavus

[AdvancedSetup]

Sorry for the delay.

Please download to the desktop: Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  
• Back at the main window, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

[Heavus]

Here is the DRWeb scan. In this case aaads.exe is a renamed combofix.exe.

Thanks.

realbar.dll;c:\program files\common files\real\toolbar;Adware.MegaSearch;Incurable.Deleted.;
aaaads.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Mark\Desktop\aaaads.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Mark\Desktop;Archive contains infected objects;;
aaaads.exe;C:\Documents and Settings\Mark\Desktop;Container contains infected objects;Moved.;
aim95.exe\data037;C:\Program Files\AIM\aim95.exe;Adware.Aws;;
aim95.exe;C:\Program Files\AIM;Archive contains infected objects;Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;;
A0109165.exe/data004\cd_clint.dll;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629\A0109165.exe/data004;Adware.Cydoor;;
A0109165.exe/data004\cd_htm.dll;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629\A0109165.exe/data004;Adware.Cydoor;;
data004;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629;Archive contains infected objects;;
A0109165.exe;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629;Archive contains infected objects;Moved.;
A0109536.dll;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP630;Adware.MegaSearch;;
A0109538.exe\data037;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP630\A0109538.exe;Adware.Aws;;
A0109538.exe;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP630;Archive contains infected objects;Moved.;

[Heavus]

Here is the new HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:57 PM, on 2/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\e32e42b86ada41fe0c947743c71f222c\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286a644bb2b950...ip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201991127919
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8850 bytes

[AdvancedSetup]

Okay, please delete your current copy of Combofix.exe (or what ever you've named it) and download a NEW fresh copy and run it again and post back that log please.

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

[Heavus]

Big File, not able to post all because of size. I installed SP3 and that is reporting lots of files.


ComboFix 09-02-10.01 - Mark 2009-02-10 20:06:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.279 [GMT -8:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-10 19:14 . 2009-02-10 19:14 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser
2009-02-10 18:25 . 2009-02-10 18:26 1,374 --a------ c:\windows\imsins.BAK
2009-02-10 16:46 . 2009-02-10 16:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\LogMeIn
2009-02-10 16:46 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll
2009-02-10 16:46 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll
2009-02-10 16:46 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys
2009-02-10 16:46 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll
2009-02-10 16:46 . 2009-02-10 16:46 1,024 --a------ C:\.rnd
2009-02-10 16:45 . 2009-02-10 16:46 <DIR> d-------- c:\program files\LogMeIn
2009-02-10 16:44 . 2009-02-10 16:44 <DIR> d-------- c:\documents and settings\Mark\.java
2009-02-10 14:03 . 2009-02-10 14:03 <DIR> d-------- c:\windows\system32\scripting
2009-02-10 13:49 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-10 13:49 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2009-02-10 13:46 . 2006-12-29 00:31 19,569 --a------ c:\windows\005668_.tmp
2009-02-10 07:06 . 2009-02-10 08:29 <DIR> d-------- c:\documents and settings\Mark\DoctorWeb
2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\program files\Avira
2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-02-09 22:24 . 2009-02-09 22:24 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes
2009-02-09 22:00 . 2009-02-09 22:16 <DIR> d-------- C:\aaaads
2009-02-09 21:52 . 2008-04-14 05:42 1,384,479 --a------ c:\windows\system32\msvbvm60.dll
2009-02-09 21:46 . 2009-02-09 21:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-02-09 21:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 21:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-09 21:31 . 2009-02-09 21:32 <DIR> d-------- c:\documents and settings\Mark\Application Data\U3
2009-02-09 21:31 . 2009-02-10 12:08 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-09 21:31 . 2009-02-09 21:31 1,409 --a------ c:\windows\QTFont.for
2009-02-09 20:20 . 2009-02-09 20:20 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-02-09 19:46 . 2009-02-10 16:31 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d-------- c:\program files\Trend Micro
2009-02-09 19:45 . 2009-02-10 16:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-02-09 16:49 . 2009-02-09 22:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\PrivacIE
2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IETldCache
2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IECompatCache
2009-02-09 16:44 . 2009-02-09 16:44 <DIR> d-------- c:\windows\ie8updates
2009-02-09 16:42 . 2009-02-09 16:43 <DIR> d--h-c--- c:\windows\ie8
2009-02-09 16:40 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-02-09 16:30 . 2009-02-10 16:40 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-09 16:05 . 2009-02-09 16:22 <DIR> d-------- c:\program files\Yahoo!
2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\program files\CCleaner
2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\documents and settings\Mark\Application Data\Yahoo!
2009-02-09 15:14 . 2009-02-10 16:47 <DIR> d-------- c:\documents and settings\Mark
2009-02-09 15:00 . 2009-02-09 15:00 <DIR> d-------- c:\documents and settings\Administrator
2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui
2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 23:13 --------- d-----w c:\program files\Symantec
2009-02-10 23:13 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-10 23:13 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-02-10 20:09 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-02-10 16:34 --------- d-----w c:\program files\AIM
2009-02-09 23:56 --------- d-----w c:\program files\Google
2009-02-09 23:09 --------- d-----w c:\program files\Common Files\Adobe
2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-07-01 16:51 47,936 ----a-w c:\documents and settings\James.SIGLOXXI\Application Data\GDIPFONTCACHEV1.DAT
2007-08-29 02:19 60,968 -c--a-w c:\documents and settings\James.SIGLOXXI\GoToAssistDownloadHelper.exe
2004-06-23 06:25 2,592,044 -c----w c:\documents and settings\GameSpot DLX Secure Delivery\trillian-v0.74f.exe
2007-03-02 23:05 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-03-02 23:05 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-26 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=c:\windows\pss\Norton GoBack.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Trillian.lnk]
path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Trillian.lnk
backup=c:\windows\pss\Trillian.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
--a--c--- 2006-10-30 15:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-03-24 09:04 3309568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2004-03-24 09:04 46080 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-11 15:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a--c--- 2004-11-10 20:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2004-03-24 09:04 782336 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-10 47640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c960721-f6ff-11dd-9bce-0002e315c848}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe


.
------- File Associations -------
.
inffile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 20:09:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1177238915-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-02-10 20:11:20
ComboFix-quarantined-files.txt 2009-02-11 04:11:09
ComboFix2.txt 2009-02-10 06:16:07

Pre-Run: 13,752,733,696 bytes free
Post-Run: 13,811,126,272 bytes free

8758 --- E O F --- 2009-02-10 20:12:12

.

[Heavus]

Here is a full log. Thanks.



ComboFix 09-02-10.01 - Mark 2009-02-10 20:33:04.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.240 [GMT -8:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-10 19:14 . 2009-02-10 20:14 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser
2009-02-10 16:46 . 2009-02-10 16:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\LogMeIn
2009-02-10 16:46 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll
2009-02-10 16:46 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll
2009-02-10 16:46 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys
2009-02-10 16:46 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll
2009-02-10 16:46 . 2009-02-10 16:46 1,024 --a------ C:\.rnd
2009-02-10 16:45 . 2009-02-10 16:46 <DIR> d-------- c:\program files\LogMeIn
2009-02-10 16:44 . 2009-02-10 16:44 <DIR> d-------- c:\documents and settings\Mark\.java
2009-02-10 14:03 . 2009-02-10 14:03 <DIR> d-------- c:\windows\system32\scripting
2009-02-10 13:49 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-10 13:49 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2009-02-10 13:46 . 2006-12-29 00:31 19,569 --a------ c:\windows\005668_.tmp
2009-02-10 07:06 . 2009-02-10 08:29 <DIR> d-------- c:\documents and settings\Mark\DoctorWeb
2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\program files\Avira
2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-02-09 22:24 . 2009-02-09 22:24 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes
2009-02-09 21:52 . 2008-04-14 05:42 1,384,479 --a------ c:\windows\system32\msvbvm60.dll
2009-02-09 21:46 . 2009-02-09 21:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-02-09 21:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 21:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-09 21:31 . 2009-02-09 21:32 <DIR> d-------- c:\documents and settings\Mark\Application Data\U3
2009-02-09 21:31 . 2009-02-10 12:08 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-09 21:31 . 2009-02-09 21:31 1,409 --a------ c:\windows\QTFont.for
2009-02-09 20:20 . 2009-02-09 20:20 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-02-09 19:46 . 2009-02-10 16:31 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d-------- c:\program files\Trend Micro
2009-02-09 19:45 . 2009-02-10 16:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-02-09 16:49 . 2009-02-09 22:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\PrivacIE
2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IETldCache
2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IECompatCache
2009-02-09 16:44 . 2009-02-09 16:44 <DIR> d-------- c:\windows\ie8updates
2009-02-09 16:42 . 2009-02-09 16:43 <DIR> d--h-c--- c:\windows\ie8
2009-02-09 16:40 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-02-09 16:30 . 2009-02-10 16:40 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-09 16:05 . 2009-02-09 16:22 <DIR> d-------- c:\program files\Yahoo!
2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\program files\CCleaner
2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\documents and settings\Mark\Application Data\Yahoo!
2009-02-09 15:14 . 2009-02-10 20:26 <DIR> d-------- c:\documents and settings\Mark
2009-02-09 15:00 . 2009-02-09 15:00 <DIR> d-------- c:\documents and settings\Administrator
2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui
2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 23:13 --------- d-----w c:\program files\Symantec
2009-02-10 23:13 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-10 23:13 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-02-10 20:09 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-02-10 16:34 --------- d-----w c:\program files\AIM
2009-02-09 23:56 --------- d-----w c:\program files\Google
2009-02-09 23:09 --------- d-----w c:\program files\Common Files\Adobe
2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-07-01 16:51 47,936 ----a-w c:\documents and settings\James.SIGLOXXI\Application Data\GDIPFONTCACHEV1.DAT
2007-08-29 02:19 60,968 -c--a-w c:\documents and settings\James.SIGLOXXI\GoToAssistDownloadHelper.exe
2004-06-23 06:25 2,592,044 -c----w c:\documents and settings\GameSpot DLX Secure Delivery\trillian-v0.74f.exe
2007-03-02 23:05 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-03-02 23:05 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-26 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=c:\windows\pss\Norton GoBack.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Trillian.lnk]
path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Trillian.lnk
backup=c:\windows\pss\Trillian.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
--a--c--- 2006-10-30 15:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-03-24 09:04 3309568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2004-03-24 09:04 46080 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-11 15:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a--c--- 2004-11-10 20:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2004-03-24 09:04 782336 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-10 47640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
.
------- File Associations -------
.
inffile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 20:34:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1177238915-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-02-10 20:36:49
ComboFix-quarantined-files.txt 2009-02-11 04:36:46
ComboFix2.txt 2009-02-11 04:11:22
ComboFix3.txt 2009-02-10 06:16:07

Pre-Run: 13,820,166,144 bytes free
Post-Run: 13,805,916,160 bytes free

204 --- E O F --- 2009-02-10 20:12:12

[AdvancedSetup]

Okay, let's try this. Maybe I'm just missing it but don't see the parent process there in CF.

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• Check Turn off System Restore.
  
• Click Apply, and then click OK.
  
• Reboot.

Turn ON System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• UN-Check *Turn off System Restore*.
  
• Click Apply, and then click OK.

This will remove all restore points except the new one you just created.


Then run this

Download and install CCleaner

• CCleaner
  
• Double-click on the downloaded file "ccsetup216.exe" and install the application.
  
• Keep the default installation folder "C:\Program Files\CCleaner"
  
• Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  
• Click finish when done and close ALL PROGRAMS
  
• Start the CCleaner program.
  
• Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  
• Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  
• Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  
• Click on Run Cleaner button on the bottom right side of the program.
  
• Click OK to any prompts

Then try to run this tool - burn from another system if you have to.

Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file.
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems
Please see the post here if you're unable to view the entire screen of Avira.[/indent]

[Heavus]

All suggested actions were performed.

Here is the results of the Avira scan from the boot CD.


70884 scanned files, there was 0 Suspect Files but three alerts.

The Alerts were:

[ADSPY/Wildtangent.A]/mnt.hda1/windows/wt/webdriver/wtmulti.dll<<contains detection pattern of the AD- or Spyware ADSPY/wildtangent.A

[SPR/Wildtangent.B]/mnt/hda1/windows/wt/wtupdates/wtwebdriver/files/3.3.1.001/npwthost.dll<<contains detection pattern of the SPR/wildtangent.B program

[ADSPY/wildtangent.A]/mnt/hda1/windows/wt/wtupdates/wtwebdriver/files/3.3.1.001/wtmulti.dll<<Contains detection pattern of teh AD- or spyware ADSPY/wildtangent.A

Thanks,

Heavus

[AdvancedSetup]

Well that all looks okay.

Are you still having signs of an infection?

[Heavus]

No signs, working well.



Heavus

[AdvancedSetup]

Great - glad to hear it.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?


[indent]At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• Check Turn off System Restore.
  
• Click Apply, and then click OK.
  
• Reboot.

Turn ON System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• UN-Check *Turn off System Restore*.
  
• Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]