Solved Google Redirecting Problem and blocking posting

[Resolved] Google Redirecting Problem and blocking posting

Hi all,

First of all I am new to WindowsBBS and this site looks to be very helpful after reading over some of the posts. I have read over most of the google redirecting problems but everyone seems to be a little different. I am hoping someone can point me in the right direction. I have to do this from another computer like some of the others as I can't post to this forum. Anyway here is a copy of my HJT log.....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:08:06 AM, on 28/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis_61608.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe "
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174953992670
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174953978685
O16 - DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} (SolidWorks Installation Manager Contol) - http://www.solidworks.com/pages/services/subscription/downloads/sldimdownload.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 9124 bytes


Thanks in advance fro the help! It will be greatly appreciated!!

 

Welcome to WindowsBBS josofosky

You need to get 2 applications to that computer's desktop.

1. Download ComboFix by sUBs from here

2. Download Malwarebytes' Anti-Malware (MBAM) from here or here

Once they are both on the desktop, double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, physically disconnect your computer's internet connection.
• Now select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

When MBAM is completely finished,

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Now reconnect your internet and post the logs from ComboFix and MBAM.

 

I have a Warning! while running combo.exe it is "Unable to create a backup of the current registry file C:\WINDOWS\system32\config\SECURITY !" Do I want to continue with restoration of this file?

 

No.

ComboFix should continue to run.

 

Here is my ComboFix.txt....

ComboFix 08-08-28.04 - Kevin 2008-08-29 0:10:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.533 [GMT -6:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\setup.exe
C:\WINDOWS\system32\a.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_tdssserv


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 00:00 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-29 00:00 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 10:01 . 2008-08-28 10:01 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-08-28 09:51 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-28 09:49 . 2008-05-01 08:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-27 22:32 . 2008-08-28 10:09 <DIR> d-------- C:\Program Files\HJT
2008-08-27 18:12 . 2008-08-27 18:12 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\PCF-VLC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 16:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\AdobeUM
2008-08-28 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-08-26 19:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\SolidWorks
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 04:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 04:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-05 05:19 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2008-06-05 05:19 191,488 ----a-w C:\WINDOWS\system32\hlvdd.dll
2007-05-26 22:35 29,608 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 06:46 188416]
"HPHmon04 "= "C:\WINDOWS\system32\hphmon04.exe" [2002-06-20 13:06 339968]
"HPHUPD04 "= "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 06:47 49152]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"F-Secure Manager "= "C:\Program Files\Shaw Secure\Common\FSM32.EXE" [2007-04-26 05:43 176177]
"F-Secure TNB "= "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" [2007-04-26 05:41 733184]
"News Service "= "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 06:45 356352]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 15:22 7618560]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 15:22 86016]
"JMB36X IDE Setup "= "C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 22:44 36864]
"36X Raid Configurer "= "C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 19:05 1953792]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2007-05-14 16:22 35328]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"nwiz "= "nwiz.exe" [2006-06-01 15:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-11-14 03:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2006-05-16 04:04 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-13 20:14:57 113664]
Exif Launcher S.lnk - C:\Program Files\FinePixViewerS\QuickDCF2.exe [2007-07-26 22:53:46 303104]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-17 17:06]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Shaw Secure\HIPS\fshs.sys [2008-02-13 18:26]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 20:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2007-04-26 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2007-04-26 05:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e5f58eb-d7fa-11db-8b97-806d6172696f}]
\Shell\AutoRun\command - D:\Run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41B358CA-E0A0-9C82-94F0-99D46EA971CB}]
C:\WINDOWS\system32:winupdate.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lphc90jj0ej8j - C:\WINDOWS\system32\lphc90jj0ej8j.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\1wmqi5wy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.ca
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 00:28:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-08-29 0:31:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 06:30:52

Pre-Run: 45,945,921,536 bytes free
Post-Run: 45,988,925,440 bytes free

171 --- E O F --- 2008-08-28 16:03:00

 

Here is MBAM txt file.....

Malwarebytes' Anti-Malware 1.25
Database version: 1093
Windows 5.1.2600 Service Pack 2

12:05:06 AM 29/08/2008
mbam-log-08-29-2008 (00-05-06).txt

Scan type: Quick Scan
Objects scanned: 45557
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kevin\Local Settings\Temp\4yd8xg7b.0xe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32:winupdate (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32:winupdate.exe (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

 

Here is my ComboFix.txt.....

ComboFix 08-08-28.04 - Kevin 2008-08-29 0:10:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.533 [GMT -6:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\setup.exe
C:\WINDOWS\system32\a.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_tdssserv


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 00:00 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-29 00:00 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 10:01 . 2008-08-28 10:01 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-08-28 09:51 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-28 09:49 . 2008-05-01 08:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-27 22:32 . 2008-08-28 10:09 <DIR> d-------- C:\Program Files\HJT
2008-08-27 18:12 . 2008-08-27 18:12 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\PCF-VLC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 16:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\AdobeUM
2008-08-28 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-08-26 19:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\SolidWorks
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 04:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 04:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-05 05:19 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2008-06-05 05:19 191,488 ----a-w C:\WINDOWS\system32\hlvdd.dll
2007-05-26 22:35 29,608 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 06:46 188416]
"HPHmon04 "= "C:\WINDOWS\system32\hphmon04.exe" [2002-06-20 13:06 339968]
"HPHUPD04 "= "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 06:47 49152]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"F-Secure Manager "= "C:\Program Files\Shaw Secure\Common\FSM32.EXE" [2007-04-26 05:43 176177]
"F-Secure TNB "= "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" [2007-04-26 05:41 733184]
"News Service "= "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 06:45 356352]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 15:22 7618560]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 15:22 86016]
"JMB36X IDE Setup "= "C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 22:44 36864]
"36X Raid Configurer "= "C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 19:05 1953792]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2007-05-14 16:22 35328]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"nwiz "= "nwiz.exe" [2006-06-01 15:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-11-14 03:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2006-05-16 04:04 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-13 20:14:57 113664]
Exif Launcher S.lnk - C:\Program Files\FinePixViewerS\QuickDCF2.exe [2007-07-26 22:53:46 303104]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-17 17:06]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Shaw Secure\HIPS\fshs.sys [2008-02-13 18:26]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 20:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2007-04-26 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2007-04-26 05:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e5f58eb-d7fa-11db-8b97-806d6172696f}]
\Shell\AutoRun\command - D:\Run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41B358CA-E0A0-9C82-94F0-99D46EA971CB}]
C:\WINDOWS\system32:winupdate.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lphc90jj0ej8j - C:\WINDOWS\system32\lphc90jj0ej8j.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\1wmqi5wy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.ca
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 00:28:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-08-29 0:31:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 06:30:52

Pre-Run: 45,945,921,536 bytes free
Post-Run: 45,988,925,440 bytes free

171 --- E O F --- 2008-08-28 16:03:00

 

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

KillAll::
Extra::
File::
C:\WINDOWS\system32\winupdate.exe
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
 "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e5f58eb-d7fa-11db-8b97-806d6172696f}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41B358CA-E0A0-9C82-94F0-99D46EA971CB}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

here is the log.txt

ComboFix 08-08-28.04 - Kevin 2008-08-29 1:06:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.697 [GMT -6:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\winupdate.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 00:00 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-29 00:00 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 10:01 . 2008-08-28 10:01 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-08-28 09:51 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-28 09:49 . 2008-05-01 08:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-27 22:32 . 2008-08-28 10:09 <DIR> d-------- C:\Program Files\HJT
2008-08-27 18:12 . 2008-08-27 18:12 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\PCF-VLC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 16:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\AdobeUM
2008-08-28 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-08-26 19:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\SolidWorks
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 04:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 04:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-05 05:19 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2008-06-05 05:19 191,488 ----a-w C:\WINDOWS\system32\hlvdd.dll
2007-05-26 22:35 29,608 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-29_ 0.30.24.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-29 07:08:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_ae8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 06:46 188416]
"HPHmon04 "= "C:\WINDOWS\system32\hphmon04.exe" [2002-06-20 13:06 339968]
"HPHUPD04 "= "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 06:47 49152]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"F-Secure Manager "= "C:\Program Files\Shaw Secure\Common\FSM32.EXE" [2007-04-26 05:43 176177]
"F-Secure TNB "= "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" [2007-04-26 05:41 733184]
"News Service "= "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 06:45 356352]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 15:22 7618560]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 15:22 86016]
"JMB36X IDE Setup "= "C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 22:44 36864]
"36X Raid Configurer "= "C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 19:05 1953792]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2007-05-14 16:22 35328]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"nwiz "= "nwiz.exe" [2006-06-01 15:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-11-14 03:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2006-05-16 04:04 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-13 20:14:57 113664]
Exif Launcher S.lnk - C:\Program Files\FinePixViewerS\QuickDCF2.exe [2007-07-26 22:53:46 303104]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-17 17:06]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Shaw Secure\HIPS\fshs.sys [2008-02-13 18:26]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 20:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2007-04-26 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2007-04-26 05:42]
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\1wmqi5wy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.ca
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 01:08:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-08-29 1:11:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 07:11:18
ComboFix2.txt 2008-08-29 06:31:10

Pre-Run: 45,977,268,224 bytes free
Post-Run: 45,965,135,872 bytes free

163 --- E O F --- 2008-08-28 16:03:00

 

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
 "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Double click fix.reg and allow it to merge with the registry.


Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot


Now, do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Post the Kaspersky log here.


And finally,

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool and click Continue at the disclaimer.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Please post the contents of both logs here in your next reply.

 

Here is RSIT log file and thanks for all the help so far!!!

Logfile of random's system information tool (written by random/random)
Run by Kevin at 2008-08-29 11:54:01
Microsoft Windows XP Professional Service Pack 2
System drive C: has 44 GB (73%) free of 60 GB
Total RAM: 1022 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:48 AM, on 29/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Shaw Secure\Common\FSLAUNCHER1.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\Kevin\Desktop\RSIT.exe
C:\Program Files\trend micro\Kevin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe "
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174953992670
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174953978685
O16 - DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} (SolidWorks Installation Manager Contol) - http://www.solidworks.com/pages/services/subscription/downloads/sldimdownload.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 8752 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F85D76C-0569-466F-A488-493E6BD0E955}]
dsWebAllowBHO Class - C:\Program Files\Windows Desktop Search\dsWebAllow.dll [2006-03-26 265432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
"HPDJ Taskbar Utility "=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe [2002-05-24 188416]
"HPHmon04 "=C:\WINDOWS\system32\hphmon04.exe [2002-06-20 339968]
"HPHUPD04 "=C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe [2002-05-24 49152]
"Share-to-Web Namespace Daemon "=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-17 69632]
"F-Secure Manager "=C:\Program Files\Shaw Secure\Common\FSM32.EXE [2007-04-26 176177]
"F-Secure TNB "=C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe [2007-04-26 733184]
"News Service "=C:\Program Files\Shaw Secure\FSGUI\ispnews.exe [2005-05-31 356352]
"NvCplDaemon "=C:\WINDOWS\system32\NvCpl.dll [2006-06-01 7618560]
"nwiz "=C:\WINDOWS\system32\nwiz.exe [2006-06-01 1519616]
"NvMediaCenter "=C:\WINDOWS\system32\NvMcTray.dll [2006-06-01 86016]
"RTHDCPL "=C:\WINDOWS\RTHDCPL.EXE [2006-11-14 16270848]
"SkyTel "=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"JMB36X IDE Setup "=C:\WINDOWS\JM\JMInsIDE.exe [2006-10-30 36864]
"36X Raid Configurer "=C:\WINDOWS\system32\JMRaidSetup.exe [2006-11-16 1953792]
"WinampAgent "=C:\Program Files\Winamp\winampa.exe [2007-05-14 35328]
"QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2008-02-01 385024]
"iTunesHelper "=C:\Program Files\iTunes\iTunesHelper.exe [2008-02-19 267048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Exif Launcher S.lnk - C:\Program Files\FinePixViewerS\QuickDCF2.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\LimeWire\LimeWire.exe "= "C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"C:\Program Files\Bonjour\mDNSResponder.exe "= "C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour "
"C:\Program Files\iTunes\iTunes.exe "= "C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

File associations

.js - open - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1 "

List of files/folders created in the last three months

2008-08-29 11:54:03 ----D---- C:\Program Files\trend micro
2008-08-29 11:54:01 ----D---- C:\rsit
2008-08-29 01:13:12 ----SHD---- C:\RECYCLER
2008-08-29 01:11:50 ----A---- C:\ComboFix.txt
2008-08-29 01:07:06 ----A---- C:\WINDOWS\PSEXESVC.EXE
2008-08-29 00:10:24 ----D---- C:\WINDOWS\erdnt
2008-08-29 00:09:33 ----D---- C:\QooBox
2008-08-29 00:09:31 ----A---- C:\WINDOWS\swreg.exe
2008-08-29 00:09:31 ----A---- C:\WINDOWS\Nircmd.exe
2008-08-29 00:09:30 ----A---- C:\WINDOWS\zip.exe
2008-08-29 00:09:30 ----A---- C:\WINDOWS\VFind.exe
2008-08-29 00:09:30 ----A---- C:\WINDOWS\swxcacls.exe
2008-08-29 00:09:30 ----A---- C:\WINDOWS\swsc.exe
2008-08-29 00:09:30 ----A---- C:\WINDOWS\sed.exe
2008-08-29 00:09:30 ----A---- C:\WINDOWS\grep.exe
2008-08-29 00:09:30 ----A---- C:\WINDOWS\fdsv.exe
2008-08-29 00:00:46 ----D---- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-08-29 00:00:41 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-29 00:00:41 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-28 10:02:59 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-08-28 10:02:54 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-28 10:02:49 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-28 10:02:45 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-28 10:02:22 ----HDC---- C:\WINDOWS\$NtUninstallKB946627$
2008-08-28 10:01:48 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-28 10:01:43 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-08-28 10:01:38 ----D---- C:\Program Files\MSXML 6.0
2008-08-28 10:00:46 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-08-28 10:00:41 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-28 10:00:08 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-28 09:59:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-28 09:59:25 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-08-28 09:59:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-08-28 09:58:43 ----HDC---- C:\WINDOWS\$NtUninstallKB950749$
2008-08-28 09:58:10 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2008-08-27 22:32:24 ----D---- C:\Program Files\HJT
2008-08-27 18:12:57 ----D---- C:\Documents and Settings\Kevin\Application Data\PCF-VLC
2008-08-27 17:31:27 ----D---- C:\WINDOWS\pss
2008-07-17 21:04:05 ----D---- C:\WINDOWS\Minidump
2008-06-04 23:19:15 ----A---- C:\WINDOWS\system32\hlvdd.dll
2008-06-04 23:19:15 ----A---- C:\WINDOWS\system32\haspvdd.dll
2008-06-04 23:19:10 ----D---- C:\Program Files\Common Files\Aladdin Shared
2008-06-04 23:19:02 ----A---- C:\WINDOWS\system32\hasplms.exe
2008-06-04 23:19:01 ----A---- C:\WINDOWS\system32\aksllmtp.exe
2008-06-04 23:17:33 ----D---- C:\Program Files\CADWorx Plant 2008
2008-06-04 22:29:39 ----D---- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-04 22:29:37 ----D---- C:\Documents and Settings\Kevin\Application Data\Azureus
2008-06-04 22:28:34 ----D---- C:\Program Files\Azureus
2008-06-03 23:24:09 ----D---- C:\Program Files\AutoCAD 2008
2008-06-03 23:24:09 ----D---- C:\Documents and Settings\Kevin\Application Data\Autodesk
2008-06-03 23:24:09 ----D---- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-06-03 23:22:26 ----D---- C:\Program Files\Common Files\Autodesk Shared
2008-06-03 23:22:26 ----D---- C:\Program Files\Autodesk
2008-06-03 23:22:02 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2008-05-31 23:34:39 ----D---- C:\Documents and Settings\Kevin\Application Data\U3

List of drivers

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 F-Secure HIPS;F-Secure HIPS; \??\C:\Program Files\Shaw Secure\HIPS\fshs.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 NetworkX;NetworkX; C:\WINDOWS\system32\system32\ckldrv.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\system32\System32\drivers\ws2ifsl.sys []
R2 aksfridge;aksfridge; \??\C:\WINDOWS\system32\drivers\aksfridge.sys []
R2 Hardlock;Hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
R2 Haspnt;Haspnt; \??\C:\WINDOWS\system32\drivers\Haspnt.sys []
R3 Dot4 HPH11;Dot4 HPH11; C:\WINDOWS\system32\DRIVERS\hphid411.sys [2002-05-24 50896]
R3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11; C:\WINDOWS\system32\DRIVERS\hphipr11.sys [2002-05-24 16112]
R3 Dot4Storage HPH11;Storage Class Driver for IEEE-1284.4 (HPH11); C:\WINDOWS\System32\Drivers\hphs2k11.sys [2002-05-24 50276]
R3 Dot4Usb HPH11;Dot4Usb HPH11; C:\WINDOWS\System32\drivers\hphius11.sys [2002-05-24 18928]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper; \??\C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-15 4225920]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-06-01 3925920]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [2006-11-22 250496]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 F-Secure Filter;F-Secure File System Filter; \??\C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys []
S4 F-Secure Recognizer;F-Secure File System Recognizer; \??\C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

List of services

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-01-15 110592]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 Crypkey License;Crypkey License; C:\WINDOWS\system32\crypserv.exe [2000-06-29 52224]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS; C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe [2007-04-26 41043]
R2 FSMA;FSMA; C:\Program Files\Shaw Secure\Common\FSMA32.EXE [2007-04-26 106546]
R2 hasplms;HASP License Manager; C:\WINDOWS\system32\hasplms.exe [2007-03-15 535807]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-06-01 155715]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-19 504104]
R3 Pml Driver HPH11;Pml Driver HPH11; C:\WINDOWS\system32\HPHipm11.exe [2002-05-24 77824]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2008-06-03 85096]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 FSAUA;F-Secure Automatic Update Agent; C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe [2007-04-26 450560]
S3 FSDFWD;F-Secure Anti-Virus Firewall Daemon; C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe [2007-04-26 446464]
S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2007-04-23 79360]

-----------------EOF-----------------

 

Here is the Kaspersky file......

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 29, 2008 17:15:08
Records in database: 1163294
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 81046
Threat name: 4
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:13:02


File name / Threat name / Threats count
C:\Downloads\Easy GIF Animator 4 4 0 32\SETUP.0XE Infected: Trojan-Dropper.Win32.Agent.ehp 1
C:\Music\Shared\david cook billie jean.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Music\Shared\true companion mark cohn(1).mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Music\Shared\true companion mark cohn.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\QooBox\Quarantine\C\WINDOWS\system32\a.exe.vir Infected: Trojan-Downloader.Win32.Small.ackc 1
C:\WINDOWS\Encrypted.exe Infected: Backdoor.Win32.Poison.lj 1

The selected area was scanned.

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

KillAll::
File::
C:\Downloads\Easy GIF Animator 4 4 0 32\SETUP.0XE
C:\Music\Shared\david cook billie jean.mp3
C:\Music\Shared\true companion mark cohn(1).mp3
C:\Music\Shared\true companion mark cohn.mp3
C:\WINDOWS\Encrypted.exe
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


P2P - I see you have P2P software ([color= "Red"]Azureus, Limewire[/color]) installed on your machine. I'm not passing judgment on file-sharing as a concept. However, I will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

 

Here is a post of my newest ComboFix log.txt....Thanks once again for all this help and I will look into removing Limewire and Azureus!!

ComboFix 08-08-28.04 - Kevin 2008-08-29 12:54:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.697 [GMT -6:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Downloads\Easy GIF Animator 4 4 0 32\SETUP.0XE
C:\Music\Shared\david cook billie jean.mp3
C:\Music\Shared\true companion mark cohn(1).mp3
C:\Music\Shared\true companion mark cohn.mp3
C:\WINDOWS\Encrypted.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Downloads\Easy GIF Animator 4 4 0 32\SETUP.0XE
C:\Music\Shared\david cook billie jean.mp3
C:\Music\Shared\true companion mark cohn(1).mp3
C:\Music\Shared\true companion mark cohn.mp3
C:\WINDOWS\Encrypted.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 11:54 . 2008-08-29 11:55 <DIR> d-------- C:\rsit
2008-08-29 11:54 . 2008-08-29 11:54 <DIR> d-------- C:\Program Files\trend micro
2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-08-29 00:00 . 2008-08-29 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 00:00 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-29 00:00 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 10:01 . 2008-08-28 10:01 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-08-28 09:51 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-28 09:49 . 2008-05-01 08:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-27 22:32 . 2008-08-28 10:09 <DIR> d-------- C:\Program Files\HJT
2008-08-27 18:12 . 2008-08-27 18:12 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\PCF-VLC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 16:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\AdobeUM
2008-08-28 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-08-26 19:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\SolidWorks
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 04:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 04:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-05 05:19 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2008-06-05 05:19 191,488 ----a-w C:\WINDOWS\system32\hlvdd.dll
2007-05-26 22:35 29,608 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-29_ 0.30.24.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-29 18:57:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 06:46 188416]
"HPHmon04 "= "C:\WINDOWS\system32\hphmon04.exe" [2002-06-20 13:06 339968]
"HPHUPD04 "= "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 06:47 49152]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"F-Secure Manager "= "C:\Program Files\Shaw Secure\Common\FSM32.EXE" [2007-04-26 05:43 176177]
"F-Secure TNB "= "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" [2007-04-26 05:41 733184]
"News Service "= "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 06:45 356352]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 15:22 7618560]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 15:22 86016]
"JMB36X IDE Setup "= "C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 22:44 36864]
"36X Raid Configurer "= "C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 19:05 1953792]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2007-05-14 16:22 35328]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"nwiz "= "nwiz.exe" [2006-06-01 15:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-11-14 03:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2006-05-16 04:04 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-13 20:14:57 113664]
Exif Launcher S.lnk - C:\Program Files\FinePixViewerS\QuickDCF2.exe [2007-07-26 22:53:46 303104]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 13:11 233472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-17 17:06]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Shaw Secure\HIPS\fshs.sys [2008-02-13 18:26]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 20:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2007-04-26 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2007-04-26 05:42]
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 12:57:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-08-29 13:01:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 19:01:07
ComboFix2.txt 2008-08-29 07:11:50
ComboFix3.txt 2008-08-29 06:31:10

Pre-Run: 45,908,221,952 bytes free
Post-Run: 45,938,905,088 bytes free

170 --- E O F --- 2008-08-28 16:03:00

 

Looks good. Now lets tidy up.

Now open MBAM and remove any items quarantined. Do the same with your resident antivirus.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too.

Run ATF Cleaner once again as previously described.

That should do it. Everything seem to be in order?

 

Everything looks to be back in order!! Thank you very much for guiding me through this, it is greatly appreciated!!

Cheers!

 

You're very welcome .... glad I could help.

Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!