Solved Can't Remove Trojan.agent & backdoor.bot

[Resolved] Can't Remove Trojan.agent & backdoor.bot

I am unable to remove Trojan.agent & backdoor.bot
Every time I remove with MBAM they come back.
Started while building MYSPACE Layout for our business.
I Lose Sound and everything runs poorly.
Please Help....


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 6/16/2004 12:43:15 PM
System Uptime: 2/26/2009 11:04:57 PM (3 hours ago)

Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 19.257 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1698: 12/20/2008 3:33:33 PM - System Checkpoint
RP1699: 12/21/2008 4:07:13 PM - System Checkpoint
RP1700: 12/22/2008 4:36:09 PM - System Checkpoint
RP1701: 12/23/2008 4:58:53 PM - System Checkpoint
RP1702: 12/24/2008 5:48:58 PM - System Checkpoint
RP1703: 12/25/2008 7:03:07 PM - System Checkpoint
RP1704: 12/26/2008 10:45:45 PM - System Checkpoint
RP1705: 12/27/2008 10:52:54 PM - System Checkpoint
RP1706: 12/29/2008 1:11:50 AM - System Checkpoint
RP1707: 12/30/2008 1:52:48 AM - System Checkpoint
RP1708: 12/31/2008 2:20:46 AM - System Checkpoint
RP1709: 1/1/2009 2:35:30 AM - System Checkpoint
RP1710: 1/2/2009 3:36:09 AM - System Checkpoint
RP1711: 1/3/2009 4:21:01 AM - System Checkpoint
RP1712: 1/4/2009 7:36:00 AM - System Checkpoint
RP1713: 1/5/2009 7:59:29 AM - System Checkpoint
RP1714: 1/6/2009 9:01:25 AM - System Checkpoint
RP1715: 1/7/2009 9:25:11 AM - System Checkpoint
RP1716: 1/8/2009 9:28:41 AM - System Checkpoint
RP1717: 1/9/2009 10:01:24 AM - System Checkpoint
RP1718: 1/10/2009 2:08:34 PM - System Checkpoint
RP1719: 1/11/2009 2:35:44 PM - System Checkpoint
RP1720: 1/12/2009 5:39:24 PM - System Checkpoint
RP1721: 1/13/2009 7:14:28 PM - System Checkpoint
RP1722: 1/14/2009 3:00:25 AM - Software Distribution Service 3.0
RP1723: 1/14/2009 11:57:18 PM - Software Distribution Service 3.0
RP1724: 1/16/2009 9:01:35 AM - System Checkpoint
RP1725: 1/17/2009 10:11:34 AM - System Checkpoint
RP1726: 1/18/2009 11:31:12 AM - System Checkpoint
RP1727: 1/19/2009 1:29:10 PM - System Checkpoint
RP1728: 1/20/2009 3:29:31 PM - System Checkpoint
RP1729: 1/21/2009 4:17:14 PM - System Checkpoint
RP1730: 1/22/2009 5:18:44 PM - System Checkpoint
RP1731: 1/23/2009 5:46:41 PM - System Checkpoint
RP1732: 1/24/2009 7:40:33 PM - System Checkpoint
RP1733: 1/25/2009 10:44:07 PM - System Checkpoint
RP1734: 1/26/2009 10:44:59 PM - System Checkpoint
RP1735: 1/27/2009 11:37:48 PM - System Checkpoint
RP1736: 1/29/2009 1:40:29 AM - System Checkpoint
RP1737: 1/30/2009 3:28:31 AM - System Checkpoint
RP1738: 1/31/2009 4:11:09 AM - System Checkpoint
RP1739: 2/1/2009 5:35:01 AM - System Checkpoint
RP1740: 2/2/2009 7:25:34 AM - System Checkpoint
RP1741: 2/3/2009 7:37:34 AM - System Checkpoint
RP1742: 2/4/2009 8:21:38 AM - System Checkpoint
RP1743: 2/5/2009 1:20:38 PM - System Checkpoint
RP1744: 2/6/2009 6:43:14 PM - System Checkpoint
RP1745: 2/8/2009 2:27:35 PM - System Checkpoint
RP1746: 2/9/2009 6:36:54 PM - System Checkpoint
RP1747: 2/11/2009 2:43:19 PM - System Checkpoint
RP1748: 2/12/2009 3:00:40 AM - Software Distribution Service 3.0
RP1749: 2/12/2009 10:10:45 PM - Restore Operation
RP1750: 2/12/2009 10:19:27 PM - Software Distribution Service 3.0
RP1751: 2/13/2009 11:03:52 PM - System Checkpoint
RP1752: 2/15/2009 1:47:54 AM - System Checkpoint
RP1753: 2/16/2009 4:39:55 PM - System Checkpoint
RP1754: 2/17/2009 7:12:01 PM - System Checkpoint
RP1755: 2/18/2009 8:17:40 PM - System Checkpoint
RP1756: 2/19/2009 11:47:47 PM - System Checkpoint
RP1757: 2/21/2009 6:36:28 PM - System Checkpoint
RP1758: 2/25/2009 10:01:15 PM - post MBAM

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
ABBYY FineReader 5.0 Sprint Plus
Acrobat.com
Adobe AIR
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop 6.0
Adobe Reader 7.1.0
Adobe Shockwave Player 11
Banctec Service Agreement
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Dell Networking Guide
Dell ResourceCD
Dell Solution Center
DesignPro 5.0 Limited Edition
DVDSentry
Express Burn
FaxDrive
Help and Support Customization
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
IncrediMail Xe
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Internet Explorer Default Page
Ipswitch WS_FTP LE
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Logitech iTouch Software
Logitech MouseWare 9.79.1
Logitech Resource Center
Magentic
Malwarebytes' Anti-Malware
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft FrontPage 2000
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word Supplemental Templates and Wizards
Modem Event Monitor
Modem Helper
Modem On Hold
Motorola Driver Installation
Motorola USB Drivers
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NewsBin Pro
NI Service Center
PowerDVD
QuickTime
RemoteCapture 2.7.0
ScanToWeb
Scrabble Complete
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Shockwave
SONAR 3 Producer Edition
Sonic DLA
Sonic RecordNow!
SureThing CD Labeler - Stomper Edition 32 bit
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959634)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Winamp (remove only)
Windows Backup Utility
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip

==== Event Viewer Messages From Past Week ========

2/22/2009 3:22:29 PM, error: Service Control Manager [7034] - The Service AntiVir service terminated unexpectedly. It has done this 1 time(s).
2/23/2009 1:01:57 AM, error: Service Control Manager [7034] - The Sysmtens service terminated unexpectedly. It has done this 1 time(s).
2/23/2009 1:53:29 AM, error: Service Control Manager [7034] - The Service Eset service terminated unexpectedly. It has done this 1 time(s).
2/23/2009 10:34:53 PM, error: Service Control Manager [7034] - The MBackMonitor service terminated unexpectedly. It has done this 1 time(s).
2/24/2009 3:01:18 AM, error: Service Control Manager [7034] - The soxpeca Service service terminated unexpectedly. It has done this 1 time(s).
2/24/2009 3:01:18 AM, error: Service Control Manager [7034] - The mabidwe Service service terminated unexpectedly. It has done this 1 time(s).
2/24/2009 3:07:15 AM, error: Service Control Manager [7000] - The afisicx service failed to start due to the following error: The system cannot find the file specified.
2/24/2009 4:01:15 AM, error: Service Control Manager [7034] - The .Freame Micer service terminated unexpectedly. It has done this 1 time(s).
2/24/2009 7:30:36 PM, error: Service Control Manager [7000] - The mabidwe service failed to start due to the following error: The system cannot find the file specified.
2/24/2009 7:30:36 PM, error: Service Control Manager [7000] - The soxpeca service failed to start due to the following error: The system cannot find the file specified.
2/24/2009 8:08:29 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
2/24/2009 8:09:02 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440
2/26/2009 12:00:29 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

==== End Of File ===========================


DDS (Ver_09-02-01.01) - NTFSx86
Run by STAN at 2:13:07.98 on Fri 02/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.47 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\WINDOWS\system32\umtcdtw.sys
C:\Documents and Settings\STAN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ebay.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Explorer] c:\windows\system32\msrstart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = :\windows\system32\srrstr.

============= SERVICES / DRIVERS ===============

R2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2002-8-29 182272]
R2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2002-8-29 183296]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2002-8-29 186368]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 cnwpn;cnwpn;c:\windows\system32\drivers\rkqfcwp.sys --> c:\windows\system32\drivers\rkqfcwp.sys [?]
S2 defaultlib;Service AntiVir;c:\windows\system32\svchost.exe -k netsvcs [2004-8-24 14336]
S2 eq2soft;Service Eset;c:\windows\system32\svchost.exe -k netsvcs [2004-8-24 14336]
S2 netmantow;Network Connections.;c:\windows\system32\svchost.exe -k netsvcs [2004-8-24 14336]
S2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-24 14336]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\ma763004.sys --> c:\windows\system32\drivers\MA763004.sys [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2006-10-17 16896]

============== File Associations ===============

txtfile= "c:\windows\system32\nxtepad.exe" "%1 "

=============== Created Last 30 ================

2009-02-25 14:24 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-02-25 14:12 86,016 a------- c:\windows\system32\u142575027.dll
2009-02-25 14:12 77,824 a------- c:\windows\system32\u14257823.dll
2009-02-25 14:12 90,112 a------- c:\windows\system32\200921218.dll
2009-02-25 13:18 90,112 a------- c:\windows\system32\200921825.dll
2009-02-25 13:18 86,016 a------- c:\windows\system32\u132532829.dll
2009-02-25 13:18 77,824 a------- c:\windows\system32\u132546829.dll
2009-02-25 12:00 90,112 a------- c:\windows\system32\20092017.dll
2009-02-25 12:00 86,016 a------- c:\windows\system32\u122579621.dll
2009-02-25 12:00 77,824 a------- c:\windows\system32\u122595321.dll
2009-02-24 23:10 90,112 a------- c:\windows\system32\20092101.dll
2009-02-24 23:10 86,016 a------- c:\windows\system32\u23245466.dll
2009-02-24 21:28 86,016 a------- c:\windows\system32\u212425013.dll
2009-02-24 21:28 77,824 a------- c:\windows\system32\u212442112.dll
2009-02-24 21:28 90,112 a------- c:\windows\system32\20092287.dll
2009-02-24 20:10 86,016 a------- c:\windows\system32\u202467115.dll
2009-02-24 20:10 90,112 a------- c:\windows\system32\200921010.dll
2009-02-24 20:10 77,824 a------- c:\windows\system32\u202434314.dll
2009-02-24 19:48 <DIR> --d----- c:\docume~1\stan\applic~1\Malwarebytes
2009-02-24 19:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-24 19:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 19:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-24 19:31 90,112 a------- c:\windows\system32\200923148.dll
2009-02-24 19:31 86,016 a------- c:\windows\system32\u192435953.dll
2009-02-24 19:31 77,824 a------- c:\windows\system32\u192429653.dll
2009-02-24 18:17 86,016 a------- c:\windows\system32\u18247501.dll
2009-02-24 18:17 90,112 a------- c:\windows\system32\200921654.dll
2009-02-24 18:17 77,824 a------- c:\windows\system32\u18243159.dll
2009-02-24 17:28 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-24 17:26 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-24 17:26 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-24 17:26 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-24 17:26 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-24 17:26 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-24 17:26 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-24 17:26 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-24 17:26 <DIR> --d----- C:\ad7466749e8d59fa3ab28d8b728c
2009-02-24 03:08 90,112 a------- c:\windows\system32\20092827.dll
2009-02-24 03:08 86,016 a------- c:\windows\system32\u32446831.dll
2009-02-24 03:08 77,824 a------- c:\windows\system32\u32439031.dll
2009-02-24 02:12 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-24 02:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-23 22:42 86,016 a------- c:\windows\system32\u222357853.dll
2009-02-23 22:42 90,112 a------- c:\windows\system32\200924249.dll
2009-02-23 20:14 <DIR> --d----- c:\docume~1\stan\applic~1\McAfee
2009-02-23 18:11 86,016 a------- c:\windows\system32\u182315632.dll
2009-02-23 18:11 77,824 a------- c:\windows\system32\u182385930.dll
2009-02-23 18:11 90,112 a------- c:\windows\system32\200921126.dll
2009-02-23 17:06 86,016 a------- c:\windows\system32\u17236409.dll
2009-02-23 17:06 77,824 a------- c:\windows\system32\u17232818.dll
2009-02-23 17:06 90,112 a------- c:\windows\system32\2009263.dll
2009-02-23 15:09 86,016 a------- c:\windows\system32\u152310911.dll
2009-02-23 15:09 77,824 a------- c:\windows\system32\u15237811.dll
2009-02-23 15:09 90,112 a------- c:\windows\system32\2009296.dll
2009-02-23 01:27 86,016 a------- c:\windows\system32\u12396856.dll
2009-02-23 01:27 77,824 a------- c:\windows\system32\u12356254.dll
2009-02-23 01:27 90,112 a------- c:\windows\system32\200922749.dll
2009-02-23 01:07 86,016 a------- c:\windows\system32\u12362524.dll
2009-02-23 01:07 77,824 a------- c:\windows\system32\u12395323.dll
2009-02-23 01:07 90,112 a------- c:\windows\system32\20092720.dll
2009-02-23 00:08 90,112 a------- c:\windows\system32\20092817.dll
2009-02-23 00:08 77,824 a------- c:\windows\system32\u02381220.dll
2009-02-23 00:08 86,016 a------- c:\windows\system32\u02378120.dll
2009-02-22 14:51 86,016 a------- c:\windows\system32\u14227830.dll
2009-02-22 14:51 90,112 a------- c:\windows\system32\200925125.dll
2009-02-22 14:51 77,824 a------- c:\windows\system32\u142229629.dll
2009-02-22 14:02 77,824 a------- c:\windows\system32\u14223439.dll
2009-02-22 14:02 86,016 a------- c:\windows\system32\u142207.dll
2009-02-21 19:02 86,016 a------- c:\windows\system32\u1921629.dll
2009-02-21 19:02 77,824 a------- c:\windows\system32\u19215938.dll
2009-02-21 19:02 90,112 a------- c:\windows\system32\2009224.dll
2009-02-21 18:19 90,112 a------- c:\windows\system32\200921953.dll
2009-02-21 18:19 77,824 a------- c:\windows\system32\u182198456.dll
2009-02-21 18:19 86,016 a------- c:\windows\system32\u182128154.dll
2009-02-21 13:00 86,016 a------- c:\windows\system32\u132176519.dll
2009-02-21 13:00 77,824 a------- c:\windows\system32\u132182818.dll
2009-02-21 13:00 90,112 a------- c:\windows\system32\20092014.dll
2009-02-21 12:36 86,016 a------- c:\windows\system32\u122132830.dll
2009-02-21 12:36 90,112 a------- c:\windows\system32\200923626.dll
2009-02-21 12:36 77,824 a------- c:\windows\system32\u122175027.dll
2009-02-21 12:34 65,536 a------- c:\windows\system32\der7399209.dll

==================== Find3M ====================

2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-04-16 02:25 24,192 a------- c:\documents and settings\stan\usbsermptxp.sys
2007-04-16 02:25 22,768 a------- c:\documents and settings\stan\usbsermpt.sys
2006-10-23 10:04 70,076 a------- c:\documents and settings\stan\Winsock2.reg
2006-05-14 22:22 33,408 a------- c:\documents and settings\stan\g2mdlhlpx.exe
2008-08-19 18:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 2:14:03.20 ===============

 

Hi and welcome


From what I'm seeing this machine is severely infected. I will do my best to help and try to clean the computer.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Thanks for your reply..... Here are the logs:


ComboFix 09-02-26.02 - STAN 2009-02-27 10:12:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.55 [GMT -5:00]
Running from: c:\documents and settings\STAN\Desktop\cleaner.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.dll
c:\windows\Install.txt
c:\windows\SYSTEM32\20092014.dll
c:\windows\SYSTEM32\20092017.dll
c:\windows\SYSTEM32\20092101.dll
c:\windows\SYSTEM32\200921010.dll
c:\windows\SYSTEM32\200921126.dll
c:\windows\SYSTEM32\200921218.dll
c:\windows\SYSTEM32\200921654.dll
c:\windows\SYSTEM32\200921825.dll
c:\windows\SYSTEM32\200921953.dll
c:\windows\SYSTEM32\2009224.dll
c:\windows\SYSTEM32\200922749.dll
c:\windows\SYSTEM32\20092287.dll
c:\windows\SYSTEM32\200923148.dll
c:\windows\SYSTEM32\200923626.dll
c:\windows\SYSTEM32\200924249.dll
c:\windows\SYSTEM32\200925125.dll
c:\windows\SYSTEM32\2009263.dll
c:\windows\SYSTEM32\20092720.dll
c:\windows\SYSTEM32\20092817.dll
c:\windows\SYSTEM32\20092827.dll
c:\windows\SYSTEM32\2009296.dll
c:\windows\system32\afisicx.exe
c:\windows\system32\comrepl.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\Install.txt
c:\windows\system32\mabidwe.exe
c:\windows\system32\open.ico
c:\windows\system32\tpszxyd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_DEFAULTLIB
-------\Legacy_MABIDWE
-------\Legacy_NETMANTOW
-------\Legacy_SOFTYINFORWOW1
-------\Legacy_SOXPECA
-------\Service_afisicx
-------\Service_defaultlib
-------\Service_mabidwe
-------\Service_netmantow
-------\Service_softyinforwow1


((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-27 02:05 . 2009-02-27 02:05 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-02-25 14:24 . 2009-01-09 14:19 1,089,593 --------- c:\windows\SYSTEM32\DLLCACHE\ntprint.cat
2009-02-25 14:12 . 2009-02-25 14:12 86,016 --a------ c:\windows\SYSTEM32\u142575027.dll
2009-02-25 14:12 . 2009-02-25 14:12 77,824 --a------ c:\windows\SYSTEM32\u14257823.dll
2009-02-25 13:18 . 2009-02-25 13:18 86,016 --a------ c:\windows\SYSTEM32\u132532829.dll
2009-02-25 13:18 . 2009-02-25 13:18 77,824 --a------ c:\windows\SYSTEM32\u132546829.dll
2009-02-25 12:00 . 2009-02-25 12:00 86,016 --a------ c:\windows\SYSTEM32\u122579621.dll
2009-02-25 12:00 . 2009-02-25 12:00 77,824 --a------ c:\windows\SYSTEM32\u122595321.dll
2009-02-24 23:10 . 2009-02-24 23:10 86,016 --a------ c:\windows\SYSTEM32\u23245466.dll
2009-02-24 21:28 . 2009-02-24 21:28 86,016 --a------ c:\windows\SYSTEM32\u212425013.dll
2009-02-24 21:28 . 2009-02-24 21:28 77,824 --a------ c:\windows\SYSTEM32\u212442112.dll
2009-02-24 20:10 . 2009-02-24 20:10 86,016 --a------ c:\windows\SYSTEM32\u202467115.dll
2009-02-24 20:10 . 2009-02-24 20:10 77,824 --a------ c:\windows\SYSTEM32\u202434314.dll
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\STAN\Application Data\Malwarebytes
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 19:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-24 19:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-24 19:31 . 2009-02-24 19:31 86,016 --a------ c:\windows\SYSTEM32\u192435953.dll
2009-02-24 19:31 . 2009-02-24 19:31 77,824 --a------ c:\windows\SYSTEM32\u192429653.dll
2009-02-24 18:17 . 2009-02-24 18:17 86,016 --a------ c:\windows\SYSTEM32\u18247501.dll
2009-02-24 18:17 . 2009-02-24 18:17 77,824 --a------ c:\windows\SYSTEM32\u18243159.dll
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\windows\SYSTEM32\XPSViewer
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-24 17:26 . 2009-02-24 17:27 <DIR> d-------- C:\ad7466749e8d59fa3ab28d8b728c
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\DLLCACHE\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 05:50 597,504 --------- c:\windows\SYSTEM32\DLLCACHE\printfilterpipelinesvc.exe
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\DLLCACHE\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 117,760 --------- c:\windows\SYSTEM32\prntvpt.dll
2009-02-24 17:26 . 2008-07-06 07:06 89,088 --------- c:\windows\SYSTEM32\DLLCACHE\filterpipelineprintproc.dll
2009-02-24 03:08 . 2009-02-24 03:08 86,016 --a------ c:\windows\SYSTEM32\u32446831.dll
2009-02-24 03:08 . 2009-02-24 03:08 77,824 --a------ c:\windows\SYSTEM32\u32439031.dll
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 22:42 . 2009-02-23 22:42 86,016 --a------ c:\windows\SYSTEM32\u222357853.dll
2009-02-23 20:14 . 2009-02-23 22:35 <DIR> d-------- c:\documents and settings\STAN\Application Data\McAfee
2009-02-23 18:11 . 2009-02-23 18:11 86,016 --a------ c:\windows\SYSTEM32\u182315632.dll
2009-02-23 18:11 . 2009-02-23 18:11 77,824 --a------ c:\windows\SYSTEM32\u182385930.dll
2009-02-23 17:06 . 2009-02-23 17:06 86,016 --a------ c:\windows\SYSTEM32\u17236409.dll
2009-02-23 17:06 . 2009-02-23 17:06 77,824 --a------ c:\windows\SYSTEM32\u17232818.dll
2009-02-23 15:09 . 2009-02-23 15:09 86,016 --a------ c:\windows\SYSTEM32\u152310911.dll
2009-02-23 15:09 . 2009-02-23 15:09 77,824 --a------ c:\windows\SYSTEM32\u15237811.dll
2009-02-23 01:27 . 2009-02-23 01:27 86,016 --a------ c:\windows\SYSTEM32\u12396856.dll
2009-02-23 01:27 . 2009-02-23 01:27 77,824 --a------ c:\windows\SYSTEM32\u12356254.dll
2009-02-23 01:07 . 2009-02-23 01:07 86,016 --a------ c:\windows\SYSTEM32\u12362524.dll
2009-02-23 01:07 . 2009-02-23 01:07 77,824 --a------ c:\windows\SYSTEM32\u12395323.dll
2009-02-23 00:08 . 2009-02-23 00:08 86,016 --a------ c:\windows\SYSTEM32\u02378120.dll
2009-02-23 00:08 . 2009-02-23 00:08 77,824 --a------ c:\windows\SYSTEM32\u02381220.dll
2009-02-22 14:51 . 2009-02-22 14:51 86,016 --a------ c:\windows\SYSTEM32\u14227830.dll
2009-02-22 14:51 . 2009-02-22 14:51 77,824 --a------ c:\windows\SYSTEM32\u142229629.dll
2009-02-22 14:02 . 2009-02-22 14:02 86,016 --a------ c:\windows\SYSTEM32\u142207.dll
2009-02-22 14:02 . 2009-02-22 14:02 77,824 --a------ c:\windows\SYSTEM32\u14223439.dll
2009-02-21 19:02 . 2009-02-21 19:02 86,016 --a------ c:\windows\SYSTEM32\u1921629.dll
2009-02-21 19:02 . 2009-02-21 19:02 77,824 --a------ c:\windows\SYSTEM32\u19215938.dll
2009-02-21 18:19 . 2009-02-21 18:19 86,016 --a------ c:\windows\SYSTEM32\u182128154.dll
2009-02-21 18:19 . 2009-02-21 18:19 77,824 --a------ c:\windows\SYSTEM32\u182198456.dll
2009-02-21 13:00 . 2009-02-21 13:00 86,016 --a------ c:\windows\SYSTEM32\u132176519.dll
2009-02-21 13:00 . 2009-02-21 13:00 77,824 --a------ c:\windows\SYSTEM32\u132182818.dll
2009-02-21 12:36 . 2009-02-21 12:36 86,016 --a------ c:\windows\SYSTEM32\u122132830.dll
2009-02-21 12:36 . 2009-02-21 12:36 77,824 --a------ c:\windows\SYSTEM32\u122175027.dll
2009-02-21 12:34 . 2009-02-21 12:34 65,536 --a------ c:\windows\SYSTEM32\der7399209.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 22:28 --------- d-----w c:\program files\MSBuild
2009-02-24 06:40 --------- d-----w c:\program files\Windows Defender
2009-02-24 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-23 05:03 --------- d-----w c:\program files\Smart Panel
2009-02-23 05:00 --------- d-----w c:\program files\EPSON
2009-02-13 03:22 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 03:12 --------- d-----w c:\program files\IncrediMail
2007-04-16 07:25 24,192 ----a-w c:\documents and settings\STAN\usbsermptxp.sys
2007-04-16 07:25 22,768 ----a-w c:\documents and settings\STAN\usbsermpt.sys
2006-10-23 15:04 70,076 ----a-w c:\documents and settings\STAN\Winsock2.reg
2006-05-15 03:22 33,408 ----a-w c:\documents and settings\STAN\g2mdlhlpx.exe
2008-08-19 23:31 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"IncrediMail "= "c:\program files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"DVDSentry "= "c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-06-11 17:32 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
--a------ 2004-06-03 21:05 32881 c:\program files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 02:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RDSessMgr "=3 (0x3)
"FastUserSwitchingCompatibility "=3 (0x3)
"ERSvc "=2 (0x2)
"SCardSvr "=3 (0x3)
"mnmsrvc "=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe "=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe "=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe "=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe "=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe "=
"c:\\Program Files\\Magentic\\bin\\MgImp.exe "=
"c:\\Program Files\\Magentic\\bin\\Magentic.exe "=
"c:\\Program Files\\Magentic\\bin\\MgApp.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=

R2 eq2soft;Service Eset;c:\windows\System32\svchost.exe -k netsvcs [2004-08-24 14336]
S0 cnwpn;cnwpn;c:\windows\system32\drivers\rkqfcwp.sys --> c:\windows\system32\drivers\rkqfcwp.sys [?]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys --> c:\windows\system32\drivers\MA763004.sys [?]
S3 SynasUSB;SynasUSB;c:\windows\SYSTEM32\DRIVERS\synasUSB.sys [2006-10-17 16896]

--- Other Services/Drivers In Memory ---

*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - sopidkc
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - w32time
*Deregistered* - WebClient
*Deregistered* - WinDefend
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eq2soft
.
Contents of the 'Scheduled Tasks' folder

2009-02-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-UpdateManager - c:\program files\Common Files\Sonic\Update Manager\sgtray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 10:20:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\SYSTEM32\sopidkc.exe [2000] 0xFFB213C0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\IncrediMail\bin\ImApp.exe
c:\windows\SYSTEM32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2009-02-27 10:27:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-27 15:27:33

Pre-Run: 20,539,613,184 bytes free
Post-Run: 20,450,164,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

268 --- E O F --- 2009-02-27 15:13:08





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:56 AM, on 2/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\STAN\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe

--
End of file - 3851 bytes

 

Welcome back


We have quite a bit of work to do.

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.


Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

File:: 
c:\windows\system32\drivers\rkqfcwp.sys
c:\windows\SYSTEM32\u142575027.dll
c:\windows\SYSTEM32\u14257823.dll
c:\windows\SYSTEM32\u132532829.dll
c:\windows\SYSTEM32\u132546829.dll
c:\windows\SYSTEM32\u122579621.dll
c:\windows\SYSTEM32\u122595321.dll
c:\windows\SYSTEM32\u23245466.dll
c:\windows\SYSTEM32\u212425013.dll
c:\windows\SYSTEM32\u212442112.dll
c:\windows\SYSTEM32\u202467115.dll
c:\windows\SYSTEM32\u202434314.dll
c:\windows\SYSTEM32\u192435953.dll
c:\windows\SYSTEM32\u192429653.dll
c:\windows\SYSTEM32\u18247501.dll
c:\windows\SYSTEM32\u18243159.dll
c:\windows\SYSTEM32\u32446831.dll
c:\windows\SYSTEM32\u32439031.dll
c:\windows\SYSTEM32\u222357853.dll
c:\windows\SYSTEM32\u182315632.dll
c:\windows\SYSTEM32\u182385930.dll
c:\windows\SYSTEM32\u17236409.dll
c:\windows\SYSTEM32\u17232818.dll
c:\windows\SYSTEM32\u152310911.dll
c:\windows\SYSTEM32\u15237811.dll
c:\windows\SYSTEM32\u12396856.dll
c:\windows\SYSTEM32\u12356254.dll
c:\windows\SYSTEM32\u12362524.dll
c:\windows\SYSTEM32\u12395323.dll
c:\windows\SYSTEM32\u02378120.dll
c:\windows\SYSTEM32\u02381220.dll
c:\windows\SYSTEM32\u14227830.dll
c:\windows\SYSTEM32\u142229629.dll
c:\windows\SYSTEM32\u142207.dll
c:\windows\SYSTEM32\u14223439.dll
c:\windows\SYSTEM32\u1921629.dll
c:\windows\SYSTEM32\u19215938.dll
c:\windows\SYSTEM32\u182128154.dll
c:\windows\SYSTEM32\u182198456.dll
c:\windows\SYSTEM32\u132176519.dll
c:\windows\SYSTEM32\u132182818.dll
c:\windows\SYSTEM32\u122132830.dll
c:\windows\SYSTEM32\u122175027.dll
c:\windows\SYSTEM32\der7399209.dll
C:\WINDOWS\system32\sopidkc.exe

Driver::
cnwpn
eq2soft
sopidkc

NetSvc::
eq2soft

DDS::
uInternet Connection Wizard,ShellNext = iexplore

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**
Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.





Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.



How's your computer now?

 

Everything seems to have went well except when I run Kaspersky. I get an error mssage and it freezes at 12%. Tried to run acouple other times. I have posted the other 2 logs.



ComboFix 09-02-26.02 - STAN 2009-02-27 13:19:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.56 [GMT -5:00]
Running from: c:\documents and settings\STAN\Desktop\cleaner.exe
Command switches used :: c:\documents and settings\STAN\Desktop\CFScript.text
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\der7399209.dll
c:\windows\system32\drivers\rkqfcwp.sys
c:\windows\system32\sopidkc.exe
c:\windows\SYSTEM32\u02378120.dll
c:\windows\SYSTEM32\u02381220.dll
c:\windows\SYSTEM32\u122132830.dll
c:\windows\SYSTEM32\u122175027.dll
c:\windows\SYSTEM32\u122579621.dll
c:\windows\SYSTEM32\u122595321.dll
c:\windows\SYSTEM32\u12356254.dll
c:\windows\SYSTEM32\u12362524.dll
c:\windows\SYSTEM32\u12395323.dll
c:\windows\SYSTEM32\u12396856.dll
c:\windows\SYSTEM32\u132176519.dll
c:\windows\SYSTEM32\u132182818.dll
c:\windows\SYSTEM32\u132532829.dll
c:\windows\SYSTEM32\u132546829.dll
c:\windows\SYSTEM32\u142207.dll
c:\windows\SYSTEM32\u142229629.dll
c:\windows\SYSTEM32\u14223439.dll
c:\windows\SYSTEM32\u14227830.dll
c:\windows\SYSTEM32\u142575027.dll
c:\windows\SYSTEM32\u14257823.dll
c:\windows\SYSTEM32\u152310911.dll
c:\windows\SYSTEM32\u15237811.dll
c:\windows\SYSTEM32\u17232818.dll
c:\windows\SYSTEM32\u17236409.dll
c:\windows\SYSTEM32\u182128154.dll
c:\windows\SYSTEM32\u182198456.dll
c:\windows\SYSTEM32\u182315632.dll
c:\windows\SYSTEM32\u182385930.dll
c:\windows\SYSTEM32\u18243159.dll
c:\windows\SYSTEM32\u18247501.dll
c:\windows\SYSTEM32\u19215938.dll
c:\windows\SYSTEM32\u1921629.dll
c:\windows\SYSTEM32\u192429653.dll
c:\windows\SYSTEM32\u192435953.dll
c:\windows\SYSTEM32\u202434314.dll
c:\windows\SYSTEM32\u202467115.dll
c:\windows\SYSTEM32\u212425013.dll
c:\windows\SYSTEM32\u212442112.dll
c:\windows\SYSTEM32\u222357853.dll
c:\windows\SYSTEM32\u23245466.dll
c:\windows\SYSTEM32\u32439031.dll
c:\windows\SYSTEM32\u32446831.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\der7399209.dll
c:\windows\system32\sopidkc.exe
c:\windows\system32\tpszxyd.sys
c:\windows\SYSTEM32\u02378120.dll
c:\windows\SYSTEM32\u02381220.dll
c:\windows\SYSTEM32\u122132830.dll
c:\windows\SYSTEM32\u122175027.dll
c:\windows\SYSTEM32\u122579621.dll
c:\windows\SYSTEM32\u122595321.dll
c:\windows\SYSTEM32\u12356254.dll
c:\windows\SYSTEM32\u12362524.dll
c:\windows\SYSTEM32\u12395323.dll
c:\windows\SYSTEM32\u12396856.dll
c:\windows\SYSTEM32\u132176519.dll
c:\windows\SYSTEM32\u132182818.dll
c:\windows\SYSTEM32\u132532829.dll
c:\windows\SYSTEM32\u132546829.dll
c:\windows\SYSTEM32\u142207.dll
c:\windows\SYSTEM32\u142229629.dll
c:\windows\SYSTEM32\u14223439.dll
c:\windows\SYSTEM32\u14227830.dll
c:\windows\SYSTEM32\u142575027.dll
c:\windows\SYSTEM32\u14257823.dll
c:\windows\SYSTEM32\u152310911.dll
c:\windows\SYSTEM32\u15237811.dll
c:\windows\SYSTEM32\u17232818.dll
c:\windows\SYSTEM32\u17236409.dll
c:\windows\SYSTEM32\u182128154.dll
c:\windows\SYSTEM32\u182198456.dll
c:\windows\SYSTEM32\u182315632.dll
c:\windows\SYSTEM32\u182385930.dll
c:\windows\SYSTEM32\u18243159.dll
c:\windows\SYSTEM32\u18247501.dll
c:\windows\SYSTEM32\u19215938.dll
c:\windows\SYSTEM32\u1921629.dll
c:\windows\SYSTEM32\u192429653.dll
c:\windows\SYSTEM32\u192435953.dll
c:\windows\SYSTEM32\u202434314.dll
c:\windows\SYSTEM32\u202467115.dll
c:\windows\SYSTEM32\u212425013.dll
c:\windows\SYSTEM32\u212442112.dll
c:\windows\SYSTEM32\u222357853.dll
c:\windows\SYSTEM32\u23245466.dll
c:\windows\SYSTEM32\u32439031.dll
c:\windows\SYSTEM32\u32446831.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EQ2SOFT
-------\Legacy_SOPIDKC
-------\Service_cnwpn
-------\Service_eq2soft
-------\Service_sopidkc


((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-27 02:05 . 2009-02-27 02:05 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-02-25 14:24 . 2009-01-09 14:19 1,089,593 --------- c:\windows\SYSTEM32\DLLCACHE\ntprint.cat
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\STAN\Application Data\Malwarebytes
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 19:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-24 19:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\windows\SYSTEM32\XPSViewer
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-24 17:26 . 2009-02-24 17:27 <DIR> d-------- C:\ad7466749e8d59fa3ab28d8b728c
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\DLLCACHE\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 05:50 597,504 --------- c:\windows\SYSTEM32\DLLCACHE\printfilterpipelinesvc.exe
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\DLLCACHE\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 117,760 --------- c:\windows\SYSTEM32\prntvpt.dll
2009-02-24 17:26 . 2008-07-06 07:06 89,088 --------- c:\windows\SYSTEM32\DLLCACHE\filterpipelineprintproc.dll
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 20:14 . 2009-02-23 22:35 <DIR> d-------- c:\documents and settings\STAN\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 22:28 --------- d-----w c:\program files\MSBuild
2009-02-24 06:40 --------- d-----w c:\program files\Windows Defender
2009-02-24 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-23 05:03 --------- d-----w c:\program files\Smart Panel
2009-02-23 05:00 --------- d-----w c:\program files\EPSON
2009-02-13 03:22 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 03:12 --------- d-----w c:\program files\IncrediMail
2007-04-16 07:25 24,192 ----a-w c:\documents and settings\STAN\usbsermptxp.sys
2007-04-16 07:25 22,768 ----a-w c:\documents and settings\STAN\usbsermpt.sys
2006-10-23 15:04 70,076 ----a-w c:\documents and settings\STAN\Winsock2.reg
2006-05-15 03:22 33,408 ----a-w c:\documents and settings\STAN\g2mdlhlpx.exe
2008-08-19 23:31 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"IncrediMail "= "c:\program files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"DVDSentry "= "c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-06-11 17:32 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
--a------ 2004-06-03 21:05 32881 c:\program files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 02:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RDSessMgr "=3 (0x3)
"FastUserSwitchingCompatibility "=3 (0x3)
"ERSvc "=2 (0x2)
"SCardSvr "=3 (0x3)
"mnmsrvc "=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe "=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe "=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe "=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe "=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe "=
"c:\\Program Files\\Magentic\\bin\\MgImp.exe "=
"c:\\Program Files\\Magentic\\bin\\Magentic.exe "=
"c:\\Program Files\\Magentic\\bin\\MgApp.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys --> c:\windows\system32\drivers\MA763004.sys [?]
S3 SynasUSB;SynasUSB;c:\windows\SYSTEM32\DRIVERS\synasUSB.sys [2006-10-17 16896]
.
Contents of the 'Scheduled Tasks' folder

2009-02-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 13:26:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\IncrediMail\bin\ImApp.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-27 13:31:30 - machine was rebooted [STAN]
ComboFix-quarantined-files.txt 2009-02-27 18:31:25
ComboFix2.txt 2009-02-27 15:27:40

Pre-Run: 20,421,935,104 bytes free
Post-Run: 20,418,564,096 bytes free

240 --- E O F --- 2009-02-27 15:13:08




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:24 PM, on 2/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Documents and Settings\STAN\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 4024 bytes

 

Welcome back


Certainly looking better......How's the computer now?

Let's ditch Kaspersky and try a different one.


Perform an online scan with Panda ActiveScan
* Click on Scan Your PC Now
* A "pop up" window will appear, or a new tab will open.
* Click on Register
* Choose the option you like most, but we recommend the Free Registration.

Click on Register
# Enter your e-mail address, and create a password.
# Select "I do not want to receive any type of information ". (unless you want to receive such information)
# Click on Send
# Confirm registration, and continue by entering your user name and password, then click on Enter
# Select Full Scan, then Click on Scan Now
# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
# If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
# Please ignore the offer to buy the program. Click on Export To


* Export the log and save it to your desktop.
* Please post the contents of that log in your next reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

 

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-02-27 20:54:16
PROTECTIONS: 1
MALWARE: 16
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.4306.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@atdmt[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@mediaplex[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@ad.yieldmanager[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@questionmarket[2].txt
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497368.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497341.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497198.bat
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 No No C:\Documents and Settings\STAN\Desktop\cleaner.exe[32788R22FWJFW\List.bat]
00609454 Trj/Downloader.VLG Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1757\A0493579.sys
00609460 Trj/Downloader.VLG Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1757\A0489879.exe
00609460 Trj/Downloader.VLG Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1757\A0489878.exe
00609460 Trj/Downloader.VLG Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1757\A0489812.old
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200921825.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\20092017.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497232.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497231.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\20092287.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200923148.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497228.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200924249.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497226.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\2009263.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497224.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497223.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\20092827.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\2009296.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497219.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497218.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497217.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497216.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497215.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497214.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497213.dll
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\20092101.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200921010.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200921126.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200921218.dll.vir
00610534 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200921654.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u132182818.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497397.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u132546829.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497396.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u142229629.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u14223439.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497394.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497391.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u14257823.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497390.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u15237811.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u17232818.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497388.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497386.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u182198456.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497383.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u182385930.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u18243159.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497381.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u19215938.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497380.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u192429653.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497378.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u202434314.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497376.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497400.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u212442112.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497402.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u23245466.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u32439031.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497403.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497405.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497407.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u12395323.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497409.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u12356254.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497412.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u122595321.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497414.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u122175027.dll.vir
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497415.dll
00610536 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u02381220.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u02378120.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u122132830.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u122579621.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497413.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497416.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497411.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497410.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u12362524.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497408.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u12396856.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497406.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u132532829.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u132176519.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497404.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u32446831.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u222357853.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u142207.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497401.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u212425013.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497399.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497375.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u202467115.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497377.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u192435953.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497379.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u1921629.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u18247501.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497382.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u182315632.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497384.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497385.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u182128154.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497387.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u17236409.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497389.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u152310911.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u142575027.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497392.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497393.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\u14227830.dll.vir
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497395.dll
00610555 Trj/Wow.WA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497398.dll
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497449.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497258.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497237.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497426.sys
05029886 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1761\A0497372.dll
05029886 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\der7399209.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\2009224.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200922749.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497230.dll
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200923626.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497227.dll
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200921953.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497225.dll
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\20092720.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\20092817.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497222.dll
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497221.dll
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497220.dll
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\20092014.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497212.dll
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\200925125.dll.vir
05034594 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1760\A0497229.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location 'W
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 'W
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

Welcome back

What antivirus are you using?
Would you like a list of a couple of free choices?...Not seeing one in your logs unless it's been disabled?

The Panda log isn't in to bad of shape.

C:\System Volume Information\_restore
C:\Qoobox\Quarantine

We'll take care of the above items in final cleanup.

Question about one of the items it found.
C:\Documents and Settings\STAN\Desktop\cleaner.exe[32788R22FWJFW\List.bat]
Do you know what the above is?...you create this, looks as if it might be a part of Combofix?


How's the computer now?

 

HI Juliet
My computer is running much better.
I was running Mcafee...But it seems to slow my computer down to a snails pace?
I am open to your suggestions on antivirus.

C:\Documents and Settings\STAN\Desktop\cleaner.exe[32788R22FWJFW\List.bat]......I believe the instructions said to rename combo fix when downloading so I am guessing thats what this is? I did rename "cleaner "....

 

Correct, I found the information after I posted and was side tracked.



Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below

Gotcha!

I can give you links to free Antivirus and Firewall programs which are used by a very many.
What you'll probably have to do is experiment some what to find one that runs well on your machine.

Avira
Here is a tutorial on it's setup and use:
http://www.techsupportforum.com/content/Se...rticles/64.html

Avast!
How to Install, Configure, and Use Avast Antivirus

AVG Free ,
Help overview http://free.grisoft.com/doc/5/us/frt/0/num/616#faq_616
This is a very useful read:
http://grandstreamdreams.blogspot.com/2008/04/taming-avg-free-version-8.html

Never install more than one antivirus scanner or firewall on your system

Free Antivirus With Resident Protection and other related resources.
http://users.telenet.be/bluepatchy/miekiem...irus%20Scanners
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


If installing a Firewall please disable Windows XP Firewall.
To disable Windows Firewall, follow these steps:
1. Click Start.
2. Click Run.
3. Type Firewall.cpl, and then click OK.
4. On the General tab, click Off (not recommended).
5. Click OK.
********************

The following FREE Firewall versions are:
Zone Alarm free:
http://www.zonealarm.com/store/content/cat...ry=US〈=en
PDF documention for Zone Alarm available here:
http://www.zonealarm.com/store/content/sup...a/znalmMain.jsp
If you are going to try Zone Alarm I suggest to just install the basic firewall so the bundled trial Antivirus does not get installed, Also I recommend NOT installing the new optional feature Spy Blocker, as it's run by the questionable search engine Ask.com. You can read more about Ask.com http://www.benedelman.org/spyware/installa...kjeeves-banner/

Comodo free:
http://www.personalfirewall.comodo.com/
If you want only the Firewall, you can de-select Install Comodo AntiVirus during the installation process.
http://forums.comodo.com/firewall_faq/where_is_the_standalone_firewall-t27112.0.html
Comodo (Uncheck during installation "Install Comodo SafeSurf.. ", Make Comodo my default search provider" and "Make Comodo Search my homepage ")

Sunbelt kerio:
http://www.sunbelt-software.com/Home-Home-...ewall/Download/
PDF documentation for Sunbelt Kerio available here:
http://www.sunbelt-software.com/Home-Home-.../Documentation/

Online Armor Free
http://www.tallemu.com/free-firewall-prote...n-software.html

Jetico free:
http://www.jetico.com/index.htm#/jpfirewall.htm

Note: You must only use 1 (one) Firewall at a time because if you have 2 or more Firewalls running at the same time, they will conflict with each other and make your security less reliable.
The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

For a tutorial on Firewalls and a listing of available ones see the link Here



stan1622, I believe your good to go, good job!

Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

I thought I was in the clear and now I have spyware protect 2009 alert and a ton of popups etc. MBAM won't load?

 

Did you download one of the free Antivirus I gave in a previous reply?



Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

i am having trouble connecting to the internet. CAn I download combofix on my laptop and send via network to infected computer?

 

I was able to tranfser combofix via network from laptop.....i will post logs shortly

 

Make sure it's downloaded and installed to the desktop of the infected computer.


BTW
What happened between now and when it was clean?

 

HI
Sorry
I got lazy....My son got on before I got a chance to set everyting up. I will d right after clear. Combofix ran and aske d me to write down some files. I do have an error message coming up on start...macromedia file dll missing.
Logs below:

ComboFix 09-02-28.01 - STAN 2009-02-28 21:34:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.14 [GMT -5:00]
Running from: c:\documents and settings\STAN\Desktop\cleaner.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sysguard.exe
c:\windows\system32\drivers\UACwbuwsfti.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\UACaektlcfd.log
c:\windows\system32\UACemqtscca.log
c:\windows\system32\UACfyfulkie.dat
c:\windows\system32\UACorrurawr.dll
c:\windows\system32\UACpnbdamwd.dll
c:\windows\system32\UACqhheruvx.dll
c:\windows\system32\UACviyusing.log
c:\windows\system32\UACvovywwxv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-28 20:37 . 2009-02-28 20:37 16,896 --a------ c:\windows\syssvc.exe
2009-02-28 20:37 . 2009-02-28 20:37 16,896 --a------ c:\windows\svcho.exe
2009-02-28 20:01 . 2009-02-28 20:01 5,516 --a------ c:\windows\SYSTEM32\uacinit.dll
2009-02-27 18:51 . 2008-06-19 16:24 28,544 --a------ c:\windows\SYSTEM32\DRIVERS\pavboot.sys
2009-02-27 18:50 . 2009-02-27 18:50 <DIR> d-------- c:\program files\Panda Security
2009-02-27 13:44 . 2009-02-27 13:44 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-02-27 13:40 . 2009-02-27 13:41 <DIR> d-------- c:\documents and settings\STAN\.SunDownloadManager
2009-02-27 02:05 . 2009-02-27 02:05 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-02-25 14:24 . 2009-01-09 14:19 1,089,593 --------- c:\windows\SYSTEM32\DLLCACHE\ntprint.cat
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\STAN\Application Data\Malwarebytes
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\windows\SYSTEM32\XPSViewer
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-24 17:26 . 2009-02-24 17:27 <DIR> d-------- C:\ad7466749e8d59fa3ab28d8b728c
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\DLLCACHE\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 05:50 597,504 --------- c:\windows\SYSTEM32\DLLCACHE\printfilterpipelinesvc.exe
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\DLLCACHE\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 117,760 --------- c:\windows\SYSTEM32\prntvpt.dll
2009-02-24 17:26 . 2008-07-06 07:06 89,088 --------- c:\windows\SYSTEM32\DLLCACHE\filterpipelineprintproc.dll
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 20:14 . 2009-02-23 22:35 <DIR> d-------- c:\documents and settings\STAN\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 18:44 --------- d-----w c:\program files\Java
2009-02-24 22:28 --------- d-----w c:\program files\MSBuild
2009-02-24 06:40 --------- d-----w c:\program files\Windows Defender
2009-02-24 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-23 05:03 --------- d-----w c:\program files\Smart Panel
2009-02-23 05:00 --------- d-----w c:\program files\EPSON
2009-02-13 03:22 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 03:12 --------- d-----w c:\program files\IncrediMail
2007-04-16 07:25 24,192 ----a-w c:\documents and settings\STAN\usbsermptxp.sys
2007-04-16 07:25 22,768 ----a-w c:\documents and settings\STAN\usbsermpt.sys
2006-10-23 15:04 70,076 ----a-w c:\documents and settings\STAN\Winsock2.reg
2006-05-15 03:22 33,408 ----a-w c:\documents and settings\STAN\g2mdlhlpx.exe
2008-08-19 23:31 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"IncrediMail "= "c:\program files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]
"rundll32.exe "= "c:\documents and settings\STAN\Application Data\Macromedia\Common\9a6ee0141.dll" [2009-02-28 64512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"DVDSentry "= "c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-02-27 148888]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe "= "c:\documents and settings\NetworkService\Application Data\Macromedia\Common\9a6ee0141.dll" [2009-02-28 64512]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"svcho "= "c:\windows\svcho.exe" [2009-02-28 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"wave2 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"mixer1 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"mixer2 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"aux1 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"aux2 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"midi1 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"midi2 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-06-11 17:32 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RDSessMgr "=3 (0x3)
"FastUserSwitchingCompatibility "=3 (0x3)
"ERSvc "=2 (0x2)
"SCardSvr "=3 (0x3)
"mnmsrvc "=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe "=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe "=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe "=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe "=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe "=
"c:\\Program Files\\Magentic\\bin\\MgImp.exe "=
"c:\\Program Files\\Magentic\\bin\\Magentic.exe "=
"c:\\Program Files\\Magentic\\bin\\MgApp.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\WINDOWS\\svcho.exe "=

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2009-02-27 28544]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys --> c:\windows\system32\drivers\MA763004.sys [?]
S3 SynasUSB;SynasUSB;c:\windows\SYSTEM32\DRIVERS\synasUSB.sys [2006-10-17 16896]
.
Contents of the 'Scheduled Tasks' folder

2009-03-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll
HKCU-Run-system tool - c:\windows\sysguard.exe
MSConfigStartUp-Sonic RecordNow! - c:\program files\Java\j2re1.4.2_05\bin\jusched.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_04\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.
.
------- File Associations -------
.
txtfile= "c:\windows\system32\nxtepad.exe" "%1 "
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 21:38:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-28 21:42:40
ComboFix-quarantined-files.txt 2009-03-01 02:42:30
ComboFix2.txt 2009-02-27 18:31:33

Pre-Run: 23,136,100,352 bytes free
Post-Run: 23,196,921,856 bytes free

173 --- E O F --- 2009-02-27 15:13:08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:51 PM, on 2/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\STAN\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\STAN\Application Data\Macromedia\Common\9a6ee0141.dll" "
O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe
O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\9a6ee0141.dll" " (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\9a6ee0141.dll" " (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 4460 bytes

 

Well, quite a bit to do.


Print or save instructions to notepad/wordpad.



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\STAN\Application Data\Macromedia\Common\9a6ee0141.dll" "
O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe
O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\9a6ee0141.dll" " (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\9a6ee0141.dll" " (User 'Default user')





Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

Rootkit::
c:\windows\SYSTEM32\uacinit.dll

File:: 
c:\windows\syssvc.exe
c:\windows\svcho.exe
c:\documents and settings\STAN\Application Data\Macromedia\Common\9a6ee0141.dll
c:\documents and settings\NetworkService\Application Data\Macromedia\Common\9a6ee0141.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
 "aux2 "= "wdmaud.drv "
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
 "svcho "= "-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
 "c:\\WINDOWS\\svcho.exe "=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "rundll32.exe "=-
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "rundll32.exe "=-
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "rundll32.exe "=-

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



NEXT**
Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
ComboFix.txt
MBAM log
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

 

HI Juliet
Thanks for hanging in there with me!!!
Kaspersky got hung up again at 14% so I ran PANDA.
Logs Below:

ComboFix 09-02-28.01 - STAN 2009-02-28 23:38:26.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.56 [GMT -5:00]
Running from: c:\documents and settings\STAN\Desktop\cleaner.exe
Command switches used :: c:\documents and settings\STAN\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\NetworkService\Application Data\Macromedia\Common\9a6ee0141.dll
c:\documents and settings\STAN\Application Data\Macromedia\Common\9a6ee0141.dll
c:\windows\svcho.exe
c:\windows\syssvc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\Macromedia\Common\9a6ee0141.dll
c:\documents and settings\STAN\Application Data\Macromedia\Common\9a6ee0141.dll
c:\windows\svcho.exe
c:\windows\syssvc.exe
c:\windows\SYSTEM32\uacinit.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-27 18:51 . 2008-06-19 16:24 28,544 --a------ c:\windows\SYSTEM32\DRIVERS\pavboot.sys
2009-02-27 18:50 . 2009-02-27 18:50 <DIR> d-------- c:\program files\Panda Security
2009-02-27 13:44 . 2009-02-27 13:44 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-02-27 13:40 . 2009-02-27 13:41 <DIR> d-------- c:\documents and settings\STAN\.SunDownloadManager
2009-02-27 02:05 . 2009-02-27 02:05 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-02-25 14:24 . 2009-01-09 14:19 1,089,593 --------- c:\windows\SYSTEM32\DLLCACHE\ntprint.cat
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\STAN\Application Data\Malwarebytes
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\windows\SYSTEM32\XPSViewer
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-24 17:26 . 2009-02-24 17:27 <DIR> d-------- C:\ad7466749e8d59fa3ab28d8b728c
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\DLLCACHE\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 05:50 597,504 --------- c:\windows\SYSTEM32\DLLCACHE\printfilterpipelinesvc.exe
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\DLLCACHE\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 117,760 --------- c:\windows\SYSTEM32\prntvpt.dll
2009-02-24 17:26 . 2008-07-06 07:06 89,088 --------- c:\windows\SYSTEM32\DLLCACHE\filterpipelineprintproc.dll
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 20:14 . 2009-02-23 22:35 <DIR> d-------- c:\documents and settings\STAN\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 18:44 --------- d-----w c:\program files\Java
2009-02-24 22:28 --------- d-----w c:\program files\MSBuild
2009-02-24 06:40 --------- d-----w c:\program files\Windows Defender
2009-02-24 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-23 05:03 --------- d-----w c:\program files\Smart Panel
2009-02-23 05:00 --------- d-----w c:\program files\EPSON
2009-02-13 03:22 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 03:12 --------- d-----w c:\program files\IncrediMail
2007-04-16 07:25 24,192 ----a-w c:\documents and settings\STAN\usbsermptxp.sys
2007-04-16 07:25 22,768 ----a-w c:\documents and settings\STAN\usbsermpt.sys
2006-10-23 15:04 70,076 ----a-w c:\documents and settings\STAN\Winsock2.reg
2006-05-15 03:22 33,408 ----a-w c:\documents and settings\STAN\g2mdlhlpx.exe
2008-08-19 23:31 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-28_21.40.39.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-01 04:44:24 16,384 ----atw c:\windows\temp\Perflib_Perfdata_67c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"IncrediMail "= "c:\program files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"DVDSentry "= "c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-02-27 148888]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"wave2 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"mixer1 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"mixer2 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"aux1 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"midi1 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
"midi2 "= c:\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-06-11 17:32 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RDSessMgr "=3 (0x3)
"FastUserSwitchingCompatibility "=3 (0x3)
"ERSvc "=2 (0x2)
"SCardSvr "=3 (0x3)
"mnmsrvc "=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe "=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe "=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe "=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe "=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe "=
"c:\\Program Files\\Magentic\\bin\\MgImp.exe "=
"c:\\Program Files\\Magentic\\bin\\Magentic.exe "=
"c:\\Program Files\\Magentic\\bin\\MgApp.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=

R3 ma763004;M-Audio MobilePre USB; [x]
R3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2006-01-29 16896]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fax
*Deregistered* - helpsvc
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - WinDefend
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-03-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 23:44:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\IncrediMail\bin\ImApp.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-28 23:52:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 04:51:59
ComboFix2.txt 2009-03-01 02:42:44
ComboFix3.txt 2009-02-27 18:31:33

Pre-Run: 23,176,179,712 bytes free
Post-Run: 23,162,933,248 bytes free

228 --- E O F --- 2009-02-27 15:13:08


Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 5.1.2600 Service Pack 3

2/28/2009 11:59:37 PM
mbam-log-2009-02-28 (23-59-37).txt

Scan type: Quick Scan
Objects scanned: 68037
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Applications\nxtepad.exe (Hijack.Notepad) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\txtfile\shell\open\command\ (Hijack.Notepad) -> Bad: ( "C:\WINDOWS\system32\nxtepad.exe" "%1 ") Good: (notepad.exe %1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\msrstart.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nxtepad.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\umtcdtw.sys (Backdoor.Bot) -> Quarantined and deleted successfully.


;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-01 02:50:15
PROTECTIONS: 1
MALWARE: 14
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.4306.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@atdmt[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@mediaplex[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@ad.yieldmanager[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\STAN\Cookies\stan@ads.pointroll[1].txt
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 No No C:\Documents and Settings\STAN\Desktop\cleaner.exe[32788R22FWJFW\List.bat]
00593436 W32/Autorun.AQG.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001109.bat
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001146.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001010.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001125.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\sysguard.exe.vir
04814221 Generic Malware Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\UACvovywwxv.dll.vir
04814221 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001007.dll
04826705 Generic Trojan Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001006.dll
04826705 Generic Trojan Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\UACqhheruvx.dll.vir
04826785 Generic Malware Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\UACorrurawr.dll.vir
04826785 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001008.dll
04826787 Adware/SpywareGuard2008 Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_UACwbuwsfti_.sys.zip[UACwbuwsfti.sys]
;===================================================================================================================================================================================
SUSPECTS
Sent Location ;p
;===================================================================================================================================================================================
No C:\Documents and Settings\STAN\Desktop\a.exe ;p
No C:\Qoobox\Quarantine\C\WINDOWS\svcho.exe.vir ;p
No C:\Qoobox\Quarantine\C\WINDOWS\syssvc.exe.vir ;p
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ;p
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:12 AM, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Documents and Settings\STAN\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 4225 bytes

 

Also Problem with BackDoor.bot

Im ALSO having this same problem, but only with the backdoor.bot. I've used like 3 or 4 different scanners and I cant delete the virus. Is it really that complicated to get rid of?

Anyways, please walk me through the steps as I can't shake this pest. Thanks!!

 

Hi
You should probably post a separate message for someone to help you with it.