Jump to content

Malwarebytes

MALWARE DOCTOR WILL NOT GO AWAY! HELP!

- - - - -
Started by wilhr84, May 24 2009 09:38 PM

8 replies to this topic

#1
wilhr84
Posted 24 May 2009 - 09:38 PM

    New Member

  • Members
  • Pip
  • 4 posts
So ive ran malware bytes and ive ran spybot search and destroy on a regular basis . sometimes malware doctor goes away for a few hours but never completely erases.


Here is my Hijackthis log


PLEASE HELP!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:30 PM, on 5/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\LocalService\Application Data\916653139.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Microsoft copyright - {F30B5E7E-CFBB-44fb-A947-226E5A7A4290} - jhxm32.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\t4edv70owg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\t4edv70owg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2849214032.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FE4DDD.exe] C:\WINDOWS\TEMP\_A00FE4DDD.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F8A40BC0.exe] C:\WINDOWS\TEMP\_A00F8A40BC0.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\t4edv70owg.exe (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Will Rushing\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.belk....com/iNotes.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://www.webpcfos...trix/wficat.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.belk...c.com/dwa7W.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 12452 bytes

#2
miekiemoes
Posted 25 May 2009 - 12:37 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Hi,

First of all, please update MalwareBytes, because the databaseversion appears to be way outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a full scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3
wilhr84
Posted 25 May 2009 - 04:25 PM

    New Member

  • Members
  • Pip
  • 4 posts
THANK YOU SO MUCH FOR TAKING THE TIME TO HELP ME! !!! !



Here first is the log from malware bytes

Malwarebytes' Anti-Malware 1.36
Database version: 2176
Windows 5.1.2600 Service Pack 2

5/25/2009 12:19:51 PM
mbam-log-2009-05-25 (12-19-51).txt

Scan type: Quick Scan
Objects scanned: 143144
Time elapsed: 30 minute(s), 7 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
C:\Documents and Settings\LocalService\Application Data\916653139.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\autochk.dll (Spyware.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware doctor (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware doctor (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\autochk.dll (Spyware.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\916653139.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will Rushing\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lmn_setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\SystemProfile\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Connie Rushing\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donnie Rushing\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\70JUFZ0O\mlw[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Connie Rushing\Start Menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donnie Rushing\Start Menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Connie Rushing\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donnie Rushing\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will Rushing\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donnie Rushing\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will Rushing\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.





and here is the hijack log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:29 PM, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\t4edv70owg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\t4edv70owg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2849214032.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FE4DDD.exe] C:\WINDOWS\TEMP\_A00FE4DDD.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F8A40BC0.exe] C:\WINDOWS\TEMP\_A00F8A40BC0.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\t4edv70owg.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Will Rushing\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.belk....com/iNotes.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://www.webpcfos...trix/wficat.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.belk...c.com/dwa7W.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 11832 bytes

#4
miekiemoes
Posted 25 May 2009 - 04:53 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\t4edv70owg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\t4edv70owg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2849214032.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FE4DDD.exe] C:\WINDOWS\TEMP\_A00FE4DDD.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F8A40BC0.exe] C:\WINDOWS\TEMP\_A00F8A40BC0.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\t4edv70owg.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O8 - Extra context menu item: &Search - ?p=ZK
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Will Rushing\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then,

Please update once more in malwarebytes, because you're still 2 updates behind. Rescan once again and post the log in your next reply together with a new HijackThislog.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5
wilhr84
Posted 25 May 2009 - 05:40 PM

    New Member

  • Members
  • Pip
  • 4 posts
alright here we go!


Malwarebytes' Anti-Malware 1.36
Database version: 2178
Windows 5.1.2600 Service Pack 2

5/25/2009 1:33:12 PM
mbam-log-2009-05-25 (13-33-12).txt

Scan type: Quick Scan
Objects scanned: 142963
Time elapsed: 21 minute(s), 8 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\SYSTEM32\avast!Antivirus.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\autochk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lmn_setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\SystemProfile\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will Rushing\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will Rushing\Start Menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will Rushing\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\avast!Antivirus.exe (Trojan.Agent) -> Quarantined and deleted successfully.








and the hijack this



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:11 PM, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.belk....com/iNotes.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://www.webpcfos...trix/wficat.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.belk...c.com/dwa7W.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 9973 bytes

#6
miekiemoes
Posted 25 May 2009 - 06:16 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Hi,

This looks OK again, but I want to check something - this to make sure..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7
wilhr84
Posted 25 May 2009 - 07:18 PM

    New Member

  • Members
  • Pip
  • 4 posts
ComboFix 09-05-25.01 - Will Rushing 05/25/2009 14:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.220 [GMT -4:00]
Running from: c:\documents and settings\Will Rushing\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\916653139.exe
c:\documents and settings\LocalService\Application Data\971313497.exe
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\1707431754.ini
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\1707431754.tc.ini
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\Will Rushing\protect.dll
c:\documents and settings\Will Rushing\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Will Rushing\Start Menu\Programs\Startup\ChkDisk.lnk
c:\program files\cmapp
c:\program files\cmapp\cmappstub.exe
c:\program files\wincmapp
c:\program files\wincmapp\Uninstall.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\8241_1.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthbmyxatqltavyxjlqjboetxribqxmupcp.sys
c:\windows\system32\drivers\TDSSserv.sys
c:\windows\system32\jhxm32.dll
c:\windows\system32\lklf32.dll
c:\windows\system32\lmn_setup.exe
c:\windows\system32\ovfsthltwcieslfvnkwjivxfuumbdxnmxntdtk.dll
c:\windows\system32\ovfsthomhmajtryjbrqxdnroeonqsnpvdkmwvd.dat
c:\windows\system32\ovfsthpmlrniroisbbiuhbjyjmlhdanqtqvkil.dll
c:\windows\system32\ovfsthsqqrvrglxtupnpsmpjeqqvsrklliojmg.dll
c:\windows\system32\ovfsthysbluinwsywqvxivabgevyuqdvtikkoj.dat
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV
-------\Legacy_ASHEVTSVC
-------\Legacy_AVAST!ANTIVIRUS
-------\Legacy_SVCPROC
-------\Legacy_WINMANUPDATER
-------\Service_ovfsthmybwwkxdyuyxwsnkoehhioaitlgtkwpn
-------\Service_WinManUpdater


((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 16:43 . 2009-05-25 16:43 -------- d-----w c:\program files\Microsoft ActiveSync
2009-05-25 16:41 . 2009-05-25 16:43 -------- d-----w c:\windows\SHELLNEW
2009-05-25 16:41 . 2009-05-25 16:41 -------- d-----w c:\program files\Microsoft.NET
2009-05-22 22:20 . 2009-05-22 22:20 -------- d-----w c:\documents and settings\All Users\Application Data\Freedom
2009-05-22 12:43 . 2009-05-22 12:43 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2009-05-17 18:12 . 2009-05-17 18:12 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-17 18:12 . 2009-05-17 18:12 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-17 18:09 . 2009-05-17 18:09 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-17 17:59 . 2009-05-17 17:59 390664 ----a-w c:\documents and settings\Will Rushing\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-15 13:06 . 2009-05-15 19:47 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATTTOOLBAR
2009-05-13 20:19 . 2009-05-13 20:19 -------- d-----w c:\documents and settings\All Users\Application Data\Babylon
2009-05-13 20:19 . 2009-05-13 20:19 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Babylon
2009-05-11 13:12 . 2009-05-11 13:12 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-07 20:56 . 2009-05-07 20:56 -------- d-----w c:\program files\AT&T
2009-05-07 20:33 . 2009-05-22 22:23 -------- d-----w c:\program files\Common Files\Command Software
2009-05-07 20:33 . 2009-05-22 22:44 -------- d-----w c:\program files\Common Files\PestPatrol
2009-05-07 20:33 . 2009-05-07 20:33 -------- d-----w c:\program files\Radialpoint
2009-05-07 20:33 . 2009-05-07 20:33 -------- d-----w c:\documents and settings\All Users\Application Data\Radialpoint
2009-05-07 20:23 . 2009-05-07 20:23 -------- d-----w c:\program files\ATT-HSI
2009-05-06 01:23 . 2009-05-06 01:23 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-06 01:00 . 2009-03-09 20:56 38208 ----a-w c:\documents and settings\Donnie Rushing\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-05 00:37 . 2009-05-05 00:37 -------- d-----w c:\documents and settings\Will Rushing\Application Data\PC Tools
2009-05-04 14:45 . 2009-05-04 14:45 -------- d-----w c:\documents and settings\Connie Rushing\Application Data\Motive
2009-05-04 12:36 . 2009-05-04 12:36 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-05-04 12:36 . 2009-05-04 12:36 -------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2009-05-04 00:46 . 2009-05-04 00:46 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-04-28 23:42 . 2009-05-10 21:09 -------- d-----w c:\documents and settings\Will Rushing\Application Data\ATTTOOLBAR
2009-04-28 11:28 . 2009-04-28 11:28 -------- d-----w c:\documents and settings\Connie Rushing\Application Data\AT&T
2009-04-27 23:28 . 2009-05-07 20:52 -------- d-----w c:\documents and settings\Will Rushing\Application Data\Motive
2009-04-27 23:17 . 2009-04-27 23:17 -------- d-----w c:\documents and settings\Will Rushing\Application Data\AT&T
2009-04-27 23:03 . 2009-04-27 23:03 -------- d-----w c:\documents and settings\Connie Rushing\Application Data\ATTTOOLBAR
2009-04-27 22:51 . 2009-04-27 22:51 -------- d-----w c:\documents and settings\Donnie Rushing\Application Data\AT&T
2009-04-27 22:51 . 2009-04-27 22:51 -------- d-----w c:\documents and settings\All Users\Application Data\AT&T
2009-04-27 22:50 . 2009-05-23 08:33 -------- d-----w c:\documents and settings\All Users\Application Data\ATTToolbar
2009-04-27 22:50 . 2009-05-07 20:56 -------- d-----w c:\program files\ATTToolbar
2009-04-27 22:50 . 2009-05-01 02:47 -------- d-----w c:\documents and settings\Donnie Rushing\Application Data\ATTToolbar
2009-04-27 22:48 . 2009-04-27 22:48 -------- d-----w c:\documents and settings\Donnie Rushing\Application Data\Motive
2009-04-27 22:46 . 2009-05-13 01:27 -------- d-----w c:\program files\ATT-SST
2009-04-27 22:23 . 2009-04-27 22:54 -------- d-----w c:\documents and settings\All Users\Application Data\Motive
2009-04-27 22:23 . 2009-04-27 23:17 -------- d-----w c:\program files\Common Files\Motive
2009-04-27 22:23 . 2009-04-27 22:24 -------- d-----w c:\program files\ATT
2009-04-26 14:26 . 2009-03-26 15:11 2082104 ----a-w c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-04-26 14:26 . 2008-03-04 22:52 286720 ----a-w c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\firefox@tvunetworks.com\plugins\libcurl.dll
2009-04-26 14:26 . 2007-10-31 13:39 59904 ----a-w c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\firefox@tvunetworks.com\plugins\zlib1.dll
2009-04-26 14:26 . 2007-05-17 17:58 143360 ----a-w c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\firefox@tvunetworks.com\plugins\libexpatw.dll
2009-04-26 14:26 . 2006-10-18 21:32 499712 ----a-w c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\firefox@tvunetworks.com\plugins\msvcp71.dll
2009-04-26 14:26 . 2006-10-18 21:32 348160 ----a-w c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\firefox@tvunetworks.com\plugins\msvcr71.dll
2009-04-26 14:26 . 2006-10-16 22:44 196608 ----a-w c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\firefox@tvunetworks.com\plugins\ssleay32.dll
2009-04-26 14:26 . 2006-10-16 22:44 1028096 ----a-w c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\firefox@tvunetworks.com\plugins\libeay32.dll
2009-04-26 14:25 . 2008-12-04 05:25 120832 ----a-w c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 18:21 . 2005-08-05 03:38 28008 ----a-w c:\documents and settings\Will Rushing\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 21:32 . 2005-08-03 03:30 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-24 21:32 . 2005-08-03 03:30 -------- d-----w c:\program files\Viewpoint
2009-05-23 17:19 . 2005-08-26 02:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-23 17:19 . 2005-08-26 02:04 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 21:04 . 2009-04-04 18:14 -------- d-----w c:\program files\Yahoo!
2009-05-17 21:04 . 2005-08-05 02:10 -------- d-----w c:\program files\Winamp
2009-05-17 21:03 . 2007-08-06 02:09 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-17 21:03 . 2005-08-03 03:30 -------- d-----w c:\program files\Common Files\Real
2009-05-17 18:12 . 2008-09-07 23:02 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-15 12:50 . 2009-05-15 12:51 15872 ----a-w c:\windows\system32\OLDC0.tmp
2009-05-07 20:34 . 2005-08-03 03:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-06 01:31 . 2008-09-29 22:18 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-04 01:04 . 2008-09-17 22:33 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-04 01:03 . 2009-01-25 23:15 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-04 00:45 . 2009-04-08 20:19 -------- d-----w c:\documents and settings\Will Rushing\Application Data\HPAppData
2009-05-01 02:47 . 2009-04-09 00:49 -------- d-----w c:\documents and settings\Donnie Rushing\Application Data\HPAppData
2009-04-28 11:32 . 2009-04-05 23:55 -------- d-----w c:\documents and settings\Connie Rushing\Application Data\HPAppData
2009-04-21 23:48 . 2007-05-25 01:31 -------- d-----w c:\program files\Last.fm
2009-04-19 12:18 . 2008-11-08 21:05 -------- d-----w c:\documents and settings\Donnie Rushing\Application Data\DivX
2009-04-14 22:43 . 2009-01-26 22:05 -------- d-----w c:\program files\Safari
2009-04-11 12:16 . 2009-04-11 12:16 -------- d-----w c:\documents and settings\Connie Rushing\Application Data\HP
2009-04-09 00:49 . 2006-09-16 17:41 -------- d-----w c:\documents and settings\Donnie Rushing\Application Data\Yahoo!
2009-04-08 20:19 . 2006-07-09 01:54 -------- d-----w c:\documents and settings\Will Rushing\Application Data\Yahoo!
2009-04-08 00:40 . 2008-07-06 14:27 -------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2009-04-06 19:32 . 2008-09-17 22:33 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-09-17 22:33 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 23:55 . 2009-04-05 23:55 -------- d-----w c:\documents and settings\Connie Rushing\Application Data\Yahoo!
2009-04-04 22:30 . 2009-04-04 22:30 -------- d-----w c:\documents and settings\Donnie Rushing\Application Data\HP
2009-04-04 19:24 . 2009-04-04 19:24 -------- d-----w c:\documents and settings\Will Rushing\Application Data\HP
2009-04-04 19:24 . 2009-04-04 17:59 176751 ----a-w c:\windows\hpwins19.dat
2009-04-04 19:20 . 2009-04-04 19:20 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-04-04 18:08 . 2009-04-04 18:08 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-04 18:08 . 2009-04-04 18:06 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-04-04 18:08 . 2005-09-12 16:04 -------- d-----w c:\program files\HP
2009-04-04 18:03 . 2005-08-04 22:22 -------- d-----w c:\program files\Common Files\HP
2009-04-04 18:03 . 2009-04-04 18:03 -------- d-----w c:\program files\Hewlett-Packard
2009-03-29 13:32 . 2009-03-29 13:32 -------- d-----w c:\documents and settings\Connie Rushing\Application Data\Malwarebytes
2009-03-18 22:29 . 2009-03-18 22:29 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-03-06 14:44 . 2004-08-04 10:00 283648 ----a-w c:\windows\system32\pdh.dll
2008-09-08 22:47 . 2008-09-08 22:47 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-8-5 315392]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\VibeStreamer\\vibestreamer.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25683:TCP"= 25683:TCP:BitComet 25683 TCP
"25683:UDP"= 25683:UDP:BitComet 25683 UDP

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\SYSTEM32\DRIVERS\Achernar.sys [12/19/2007 4:55 PM 16855]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\SYSTEM32\DRIVERS\Aldebaran.sys [12/19/2007 4:55 PM 21808]
S0 eolbf;eolbf;c:\windows\system32\drivers\srlr.sys --> c:\windows\system32\drivers\srlr.sys [?]
S0 hpedap;hpedap;c:\windows\system32\drivers\ytpvfkbm.sys --> c:\windows\system32\drivers\ytpvfkbm.sys [?]
S0 jxnrvk;jxnrvk;c:\windows\system32\drivers\zsozh.sys --> c:\windows\system32\drivers\zsozh.sys [?]
S0 mamawvvj;mamawvvj;c:\windows\system32\drivers\faub.sys --> c:\windows\system32\drivers\faub.sys [?]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\SYSTEM32\DRIVERS\ubVeo532.sys [9/24/2007 9:23 PM 95232]
S3 DSCVc;Video Capture;c:\windows\SYSTEM32\DRIVERS\CoachVc.sys [12/19/2007 4:53 PM 44256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-24 c:\windows\Tasks\At1.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-25 c:\windows\Tasks\At10.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-25 c:\windows\Tasks\At11.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-25 c:\windows\Tasks\At12.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-25 c:\windows\Tasks\At13.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-25 c:\windows\Tasks\At14.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-25 c:\windows\Tasks\At15.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-23 c:\windows\Tasks\At16.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-23 c:\windows\Tasks\At17.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At18.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At19.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At2.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-23 c:\windows\Tasks\At20.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At21.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At22.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-25 c:\windows\Tasks\At23.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At24.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At3.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At4.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At5.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At6.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-24 c:\windows\Tasks\At7.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-25 c:\windows\Tasks\At8.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]

2009-05-25 c:\windows\Tasks\At9.job
- c:\windows\system32\wQmT4CU1.exe [2008-09-07 01:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DXDllRegExe - dxdllreg.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: aol.com\free
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\Will Rushing\Application Data\Mozilla\Firefox\Profiles\eyxnbv4o.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 15:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,af,07,aa,80,80,c5,42,9a,64,16,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,af,07,aa,80,80,c5,42,9a,64,16,\

[HKEY_USERS\S-1-5-21-3327755178-2562406999-819860561-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2D78318-59BE-9BC0-6AA0-10B1219010B9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{84989203-5DE8-3073-8BE62EC2F2FBE831}\{944CD226-8AE2-56C7-1A2253B060F71AD3}\{34E7E91D-17F9-EA39-81692D881F65A730}*]
"526BA65ZPQS4U365YNAELLJ5XA1"=hex:01,00,01,00,00,00,00,00,50,bd,9f,8a,7e,a0,d0,
fa,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A754038D-5461-C6FF-89A37522C498DE93}\{1089EA54-87DF-A583-56CE37BECDECB43B}\{5F10775F-480B-9EA7-99D54B1CB86EF9A3}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\program files\Ahead\InCD\incdshx.dll
c:\windows\system32\igfxpph.dll
c:\windows\system32\hccutils.DLL
c:\windows\system32\igfxres.dll
c:\windows\system32\igfxress.dll
c:\windows\system32\igfxsrvc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\windows\SYSTEM32\msiexec.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\SYSTEM32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-05-25 15:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 19:15

Pre-Run: 33,757,880,320 bytes free
Post-Run: 35,786,924,032 bytes free

362 --- E O F --- 2009-05-25 10:19

#8
miekiemoes
Posted 26 May 2009 - 06:10 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Hi,

What a mess. No wonder that everything was reinstalled again after malwarebytes removed it - you're even dealing with several rootkits which block malwarebytes + I also see you are dealing with older malware as well. This computer is already infected for a long time and the malware is everywhere in a meanwhile.
Also, I have a bad feeling here that you may be dealing with Virut as well. I really hope this is not the case here...
In anyway, I want to make you aware of the fact that, even though we clean up all malware, there's no way you can ever trust this computer again.
Also, the malware present already caused a lot of damage as well, so don't expect a 100% perfect working computer again - this is impossible with this huge amount of malware present.
If that was my computer, I wouldn't even bother to try to clean this up manually, but backup my important files and format and reinstall, because that's the only guarantee that I can/will trust this computer again.

Also, your Current Antivirus (Command Software Systems - Authentium) and AT&T-Internet Security appears to be useless. I don't think you were even aware of the presence of an Antivirus. Combofix doesn't even list it as active/running. So it's time to uninstall that one and install another working antivirus, because how would you be able to prevent future malware if nothing is blocking it here?
You don't even have your Firewall enabled.... ;)
Anyway, since you decided to clean this up manually, do next please...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\drivers\faub.sys
c:\windows\system32\drivers\zsozh.sys
c:\windows\system32\drivers\srlr.sys
c:\windows\system32\drivers\ytpvfkbm.sys
c:\windows\winstart.bat
Collect::[8]
c:\windows\system32\wQmT4CU1.exe
Driver::
mamawvvj
hpedap
jxnrvk
eolbf
AtJob::
REGNULL::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A754038D-5461-C6FF-89A37522C498DE93}\{1089EA54-87DF-A583-56CE37BECDECB43B}\{5F10775F-480B-9EA7-99D54B1CB86EF9A3}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{84989203-5DE8-3073-8BE62EC2F2FBE831}\{944CD226-8AE2-56C7-1A2253B060F71AD3}\{34E7E91D-17F9-EA39-81692D881F65A730}*]
[HKEY_USERS\S-1-5-21-3327755178-2562406999-819860561-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2D78318-59BE-9BC0-6AA0-10B1219010B9}*]
Reglock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9
miekiemoes
Posted 09 June 2009 - 07:56 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us