Frequent pop-under ads, antivirus advertising and websites

Recently, I have been having persistent pop-under ads. They usually advertise sites like MySpace (someone on your friend list likes you! etc), fvc.com or broadcaster.com, or WinAntiVirus and other "virus scans ". It's very annoying and sometimes even happens when I'm not on Internet Explorer.

I also had other virus related problems, but I recently ran a McAfee scan and a Spybot scan, and most of these were resolved. However, the pop unders continue.

HJT log is as follows

Logfile of HijackThis v1.99.1
Scan saved at 12:13:33 AM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\regscan.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\User\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\User\Application Data\Microsoft\Windows\kkpyhwrn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Jasmine Turner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Jasmine Turner\Application Data\Microsoft\Windows\kkpyhwrn.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169742422164
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Any help would be much appreciated!

 

Update: I have found out that the WinAntiVirus scan stuff was due to WinFixer, which I found a fix for. However, pop-unders to random sites (fvc.com, heavy.com, netster.com are several of them) continue to appear whenever I go on Internet Explorer. I also have a program that my McAfee said it could not completely remove: prcviewer. Would this having something to do with it?

 

Hi jt1421

OK we need to run a few tools here. please do them in the order given, making sure to follow the instruction exactly.

Lets start off this way.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

RXToolBar

Please note any other programs that you dont recognize in that list and post them in your next response

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Please follow these instructions exactly as given.

Now download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
6. Under "Reports "
   • Select "Automatically generate report after every scan "
   • Un-Select "Only if threats were found "

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions "
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot your computer.

Please post the vundo log, combofix log and the AVG log

Please Rename Hijackthis.exe to Killer.exe, run HJT again and post the new log.

Thanks
Geri

 

Geri:

Thank you for your reply.

Under Add/Remove Programs, there was no RXToolBar. But there was a "My Way Search Assistant" with no option for Change/Remove. Also, there was "P2P Networking ". I am unsure of whether this came with the computer or not.

The contents of the vundofix.txt are as follows.

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 1:21:43 AM 8/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqq.dll
C:\windows\system32\msfykpdb.exe
C:\WINDOWS\system32\pipxndrp.dll
C:\WINDOWS\system32\qqtwa.bak1
C:\WINDOWS\system32\qqtwa.bak2
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini2
C:\WINDOWS\system32\qqtwa.tmp
C:\windows\system32\rbxoafut.exe
C:\windows\system32\rgfrhusu.exe
C:\WINDOWS\system32\ssqrp.dll
C:\windows\system32\uwrhuiav.ini
C:\windows\system32\vaiuhrwu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\awtqq.dll Has been deleted!

Attempting to delete C:\windows\system32\msfykpdb.exe
C:\windows\system32\msfykpdb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtwa.bak1
C:\WINDOWS\system32\qqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtwa.bak2
C:\WINDOWS\system32\qqtwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtwa.ini2
C:\WINDOWS\system32\qqtwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtwa.tmp
C:\WINDOWS\system32\qqtwa.tmp Has been deleted!

Attempting to delete C:\windows\system32\rbxoafut.exe
C:\windows\system32\rbxoafut.exe Has been deleted!

Attempting to delete C:\windows\system32\rgfrhusu.exe
C:\windows\system32\rgfrhusu.exe Has been deleted!

Attempting to delete C:\windows\system32\uwrhuiav.ini
C:\windows\system32\uwrhuiav.ini Has been deleted!

Attempting to delete C:\windows\system32\vaiuhrwu.dll
C:\windows\system32\vaiuhrwu.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 12:23:57 PM 8/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\prqss.tmp
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\prqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.tmp
C:\WINDOWS\system32\prqss.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 10:54:12 PM 8/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\ybadd.bak1
C:\WINDOWS\system32\ybadd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybadd.bak1
C:\WINDOWS\system32\ybadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini Has been deleted!

Performing Repairs to the registry.
Done!

However, I couldn't go any farther in your instructions, because when I tried to run Combofix, as the scan was starting, the following message popped up:

"C:\WINDOWS\system32\cmd.com is not a valid Win32 application. "

I tried downloading from both links you provided. Any ideas?

 

So that the ComboFix log might be available when Geri comes online........


cmd.com is not the legitimate command processor. Rename C:\WINDOWS\system32\cmd.com to C:\WINDOWS\system32\cmd.com.old and try ComboFix again.

[SIZE= "0"]Dave slinks away into the shadows again[/SIZE]

 

Thank you for answering, but my C:\WINDOWS folder doesn't seem to have a system32 folder, at least not one that I or the Windows search engine can see. This is odd, because it lists this folder as a folder scanned during the VundoFix and the HJT scan. Am I just not looking hard enough, or do I need to look somewhere else?

The only thing close is SYSTEM32 in C:\I386. The only files in this folder are NTDLL.DLL and SMSS. There is a file titled CMD in C:\I386, but I'm not sure that this is the file I'm looking for.

 

Click Start>Run, type C:\Windows\System32\cmd.exe then hit enter. It should open a command window. Highlight and copy the command below and paste it into the command window, then hit enter.

attrib -r -h -s C:\WINDOWS\system32

Now copy and paste the next command and hit enter.

ren C:\WINDOWS\system32\cmd.com cmd.com.old

Try running ComboFix (see if you see the system32 folder now too).


[SIZE= "0"]Again, Dave slinks back to the corner[/SIZE]

 

Thanks, I got the ComboFix to work! I'm on to the next part of the instructions. Thanks for your help.

 

Okay, all done. The Vundo log is in my last post, as well as the Add/Remove Programs list of programs I didn't recognize.

Combofix log:


2003-01-30 14:52 12073 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\FAD.sys.vir
2007-07-11 03:29 22016 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b138.exe.vir
2007-07-18 22:49 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cmd.com.vir
2007-07-18 22:49 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\netstat.com.vir
2007-07-18 22:49 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ping.com.vir
2007-07-18 22:49 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\taskkill.com.vir
2007-07-18 22:49 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tasklist.com.vir
2007-07-18 22:49 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tracert.com.vir
2007-07-18 22:49 62464 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bszip.dll.vir
2007-07-18 22:53 12800 --a------ C:\Qoobox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir
2007-07-19 10:57 66112 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\oecacdcb.exe.vir
2007-07-20 10:57 66112 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\oevcvqpt.exe.vir
2007-08-01 10:44 31254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fccyvst.dll.vir
2007-08-01 10:45 164787 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk.vir
2007-08-01 10:45 72832 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\core.sys.vir
2007-08-01 23:25 2 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wapisvtr32.exe.vir
2007-08-01 23:52 66112 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fgqnfaaf.exe.vir
2007-08-01 23:52 69184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rjcdceie.dll.vir
2007-08-02 13:35 66112 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tvjswqll.exe.vir
2007-08-02 20:49 878 --a------ C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-08-03 23:05 228960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\awvvv.dll.vir
2007-08-03 23:05 6467 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vvvwa.bak1.vir
2007-08-04 11:05 7484 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vvvwa.bak2.vir
2007-08-04 11:15 1220 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-08-04 11:15 832 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
2007-08-04 11:15 862 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
2007-08-04 11:15 994 --a------ C:\Qoobox\Quarantine\Registry_backups\services_core.reg.cf
2007-08-04 11:16 6554 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vvvwa.ini.vir
2007-08-04 11:17 272408 --a------ C:\Qoobox\Quarantine\catchme2007-08-04_112309.37.zip
2007-08-04 11:17 315 --a------ C:\Qoobox\Quarantine\catchme.log


Folder PATH listing
Volume serial number is 388E-BA3F
C:\QOOBOX
\---Quarantine
| catchme.log
| catchme2007-08-04_112309.37.zip
|
+---C
| +---Program Files
| | \---WinPop
| | UnInstall.exe.vir
| |
| \---WINDOWS
| | b138.exe.vir
| | wr.txt.vir
| |
| \---SYSTEM32
| | awvvv.dll.vir
| | bszip.dll.vir
| | cmd.com.vir
| | fccyvst.dll.vir
| | fgqnfaaf.exe.vir
| | netstat.com.vir
| | oecacdcb.exe.vir
| | oevcvqpt.exe.vir
| | ping.com.vir
| | rjcdceie.dll.vir
| | taskkill.com.vir
| | tasklist.com.vir
| | tracert.com.vir
| | tvjswqll.exe.vir
| | vvvwa.bak1.vir
| | vvvwa.bak2.vir
| | vvvwa.ini.vir
| | wapisvtr32.exe.vir
| |
| \---DRIVERS
| core.cache.dsk.vir
| core.sys.vir
| FAD.sys.vir
|
\---Registry_backups
LEGACY_CMDSERVICE.reg.cf
LEGACY_CORE.reg.cf
LEGACY_NETWORK_MONITOR.reg.cf
services_core.reg.cf



AVG Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:12 2007-08-04

+ Scan result:



HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKU\S-1-5-21-160937832-960368864-3311883541-1006\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-160937832-960368864-3311883541-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-160937832-960368864-3311883541-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-160937832-960368864-3311883541-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-160937832-960368864-3311883541-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-160937832-960368864-3311883541-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-160937832-960368864-3311883541-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-160937832-960368864-3311883541-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Adware.Cydoor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-160937832-960368864-3311883541-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temp\uninstall.exe -> Downloader.Agent.buo : Cleaned with backup (quarantined).
C:\VundoFix Backups\msfykpdb.exe.bad -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\VundoFix Backups\rbxoafut.exe.bad -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\VundoFix Backups\rgfrhusu.exe.bad -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\User@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Cookies\User@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Cookies\User@buzznet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Cookies\User@cupolaventures.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Cookies\User@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Cookies\User@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Cookies\User@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@chicagosuntimes.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@comcast.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@divx.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@maxim.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@maxis.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@realnetworks.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@safaribooks.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@superpages.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@viamtvnvideo.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@viarnd.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\User\Cookies\User@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\User\Cookies\User@pan.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\User\Cookies\User@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\User\Cookies\User@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@rotator.its.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\User\Cookies\User@roi.admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\User\Cookies\User@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@ads.cnn[1].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\User\Cookies\User@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\User\Cookies\User@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\User\Cookies\User@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@estat[1].txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\User\Cookies\User@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\User\Cookies\User@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@ads.infinite-ads[2].txt -> TrackingCookie.Infinite-ads : Cleaned.
C:\Documents and Settings\User\Cookies\User@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\User\Cookies\User@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\User\Cookies\User@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\User\Cookies\User@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\User\Cookies\User@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\User\Cookies\User@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\User\Cookies\User@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\User\Cookies\User@anat.tacoda[3].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\User\Cookies\User@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\User\Cookies\User@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\User\Local Settings\Temp\Cookies\User@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wapisvtr32.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

And finally, the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:45, on 2007-08-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\regscan.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\Killer.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {60A1C11C-9F66-447C-BE13-A2A056C6E9B5} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: MSEvents Object - {9763D6A5-CFE9-4FA3-B63C-FC71EBF92155} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {9E2C3DBB-EECF-42F4-9124-318509A27D30} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: MSEvents Object - {9EE8056B-F87F-4400-9001-7F7DF4F15C15} - C:\WINDOWS\system32\ddaby.dll (file missing)
O2 - BHO: (no name) - {F0601910-6C59-46D7-92C8-779322687F40} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169742422164
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - Winlogon Notify: ddaby - C:\WINDOWS\system32\ddaby.dll (file missing)
O20 - Winlogon Notify: fccyvst - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljhhfc - mljhhfc.dll (file missing)
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Thanks so much for your help!

 

Hi jt1421

I see Dave got us through the hard part. (Thanks Dave)
Ok that cleaned quite a bit.
The combofix log you posted was the quarantine log. I need the combofix.txt log.
Please post that and please don't put it in a quote box, makes it harder to read.

Thanks
Geri

 

Sorry for the confusion, here is the combofix text. And thanks for the edit, Pete.

ComboFix 07-08-04.3 - "Windows User" 2007-08-04 11:12:29.8 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\USER~1\APPLIC~1.\smbols~1
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\fccyvst.dll
C:\WINDOWS\system32\fgqnfaaf.exe
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\oecacdcb.exe
C:\WINDOWS\system32\oevcvqpt.exe
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\rjcdceie.dll
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tvjswqll.exe
C:\WINDOWS\SYSTEM32\vvvwa.bak1
C:\WINDOWS\SYSTEM32\vvvwa.bak2
C:\WINDOWS\SYSTEM32\vvvwa.ini
C:\WINDOWS\system32\wapisvtr32.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core


((((((((((((((((((((((((( Files Created from 2007-07-04 to 2007-08-04 )))))))))))))))))))))))))))))))


2007-08-03 23:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 12:34 228,960 --a------ C:\WINDOWS\SYSTEM32\ddaby.dll.vir
2007-08-03 00:00 <DIR> d-------- C:\HJT
2007-08-02 23:34 3,046 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-02 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 21:32 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-08-02 20:38 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-08-02 20:33 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-08-02 20:33 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-08-02 20:33 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-08-02 20:33 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-08-02 20:33 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-08-02 20:33 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-08-02 20:31 <DIR> d-------- C:\Program Files\McAfee
2007-08-02 20:31 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-02 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-02 20:13 167 --a------ C:\DOCUME~1\USER~1\6021.bat
2007-08-02 20:03 218,784 --a------ C:\WINDOWS\TrueInstall.exe
2007-08-02 20:02 167 --a------ C:\DOCUME~1\USER~1\9781.bat
2007-08-02 19:53 167 --a------ C:\DOCUME~1\USER~1\2578.bat
2007-08-02 18:18 32,768 --a------ C:\DOCUME~1\USER~1\setup9x.exe
2007-08-02 18:18 167 --a------ C:\DOCUME~1\USER~1\7178.bat
2007-08-02 13:35 125,504 --a------ C:\WINDOWS\SYSTEM32\owahfbpp.dll
2007-08-02 01:21 <DIR> d-------- C:\VundoFix Backups
2007-08-01 22:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-08-01 21:07 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-08-01 21:04 <DIR> d-------- C:\KAV
2007-08-01 10:06 <DIR> d--hs---- C:\WINDOWS\SmFzbWluZSBUdXJuZXI
2007-07-20 20:43 <DIR> d-------- C:\DOCUME~1\USER~1\APPLIC~1\Flickr
2007-07-20 19:54 <DIR> d-------- C:\Program Files\Flickr Uploadr
2007-07-20 16:46 167 --a------ C:\DOCUME~1\USER~1\9155.bat
2007-07-20 16:27 <DIR> d-------- C:\BFU
2007-07-20 02:54 167 --a------ C:\DOCUME~1\USER~1\3845.bat
2007-07-20 00:43 167 --a------ C:\DOCUME~1\USER~1\4809.bat
2007-07-19 14:51 167 --a------ C:\DOCUME~1\USER~1\6926.bat
2007-07-19 14:43 167 --a------ C:\DOCUME~1\USER~1\5351.bat
2007-07-18 22:50 73 --a------ C:\WINDOWS\SYSTEM32\n.bat
2007-07-18 22:50 324,055 --a------ C:\WINDOWS\SYSTEM32\x.dat
2007-07-18 22:50 167 --a------ C:\WINDOWS\SYSTEM32\2842.bat
2007-07-18 22:49 38,413 --a------ C:\WINDOWS\SYSTEM32\app.exe
2007-07-18 22:49 32,768 --a------ C:\WINDOWS\SYSTEM32\setup9x.exe
2007-07-18 22:49 11,972 --a------ C:\WINDOWS\SYSTEM32\rm.exe
2007-07-18 22:49 <DIR> d--hs---- C:\Program Files\outlook
2007-07-18 22:48 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-03 18:09 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 14:18 38636 --a------ C:\DOCUME~1\USER~1\APPLIC~1\wklnhst.dat
2007-08-03 14:12 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\LimeWire
2007-08-02 20:32 --------- d-------- C:\Program Files\McAfee.com
2007-08-02 20:18 --------- d-------- C:\Program Files\Google
2007-08-02 19:57 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-02 19:57 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\AOL
2007-08-02 19:56 --------- d-------- C:\Program Files\Common Files\aolshare
2007-07-18 11:26 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\WeatherBug
2007-07-13 01:53 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\uTorrent
2007-07-02 17:55 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\Apple Computer
2007-06-15 10:47 278528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-06-11 22:53 --------- d-------- C:\Program Files\AIM6
2007-06-06 21:35 120680 --a------ C:\DOCUME~1\USER~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 13:54 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-04 08:29 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60A1C11C-9F66-447C-BE13-A2A056C6E9B5}]
C:\WINDOWS\system32\awtqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9763D6A5-CFE9-4FA3-B63C-FC71EBF92155}]
C:\WINDOWS\system32\ssqrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E2C3DBB-EECF-42F4-9124-318509A27D30}]
C:\WINDOWS\system32\ddayv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EE8056B-F87F-4400-9001-7F7DF4F15C15}]
C:\WINDOWS\system32\ddaby.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0601910-6C59-46D7-92C8-779322687F40}]
C:\WINDOWS\system32\vtsqo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 15:37]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 15:19]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"IntelMeM "= "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 20:19]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 03:05]
"DwlClient "= "c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05]
"Microsoft Works Update Detection "= "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 18:55]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent "= "C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"Weather "= "C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 16:02]
"Regscan "= "C:\WINDOWS\system32\regscan.exe" [2004-08-04 07:00]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-12-06 00:01:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaby]
C:\WINDOWS\system32\ddaby.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyvst]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhhfc]
mljhhfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrp]
C:\WINDOWS\system32\ssqrp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 WUSB54GCSVC;WUSB54GCSVC; "C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe "
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 RT73;Linksys Home Wireless-G USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt73.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys


Contents of the 'Scheduled Tasks' folder
2007-08-02 11:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2004-12-20 21:17:20 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
2007-08-03 00:32:47 C:\WINDOWS\Tasks\McDefragTask.job
2007-08-03 00:32:46 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
2007-08-04 07:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe

 

Hi jt1421
Sorry this took so long, lot of stuff to look up and confirm

Ok please go to add/remove and remove these.

P2P Networking
SpywareBot
LimeWire <<I would suggest removing Limewire, P2P file sharing is a good way to become infected.


My Way Search Assistant was put there by Dell, you can remove it this way.
Go to: Start
Click on: Run
Copy and Paste: msiexec.exe /x{78d944d7-a97b-4004-ab0a-b5ad06839940}
Hit enter, click yes if it prompts

We need a few files scanned so please do this.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path (One at a time) into the "File to upload & scan "box on the top of the page:
  
  
  • C:\WINDOWS\SYSTEM32\app.exe
    C:\WINDOWS\SYSTEM32\setup9x.exe
    C:\WINDOWS\SYSTEM32\rm.exe
  
  
• Click on the submit button
  
• Please post the results in your next reply.

Please copy everything in the quote box below, save it to your desktop as CFScript.txt and file type as "All Filesâ€

Now go to your desktop and Drag and Drop the CFScript.txt into ComboFix. Combofix will start and run.

After it has finished
Please post the new combofix log. And the jotti results.

Thanks
Geri

 

Don't worry about the time. The pop ups and stuff have stopped, so using my internet is much more bearable. Thanks so much for your help so far!

Jotti results

C:\WINDOWS\SYSTEM32\app.exe
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found Adware.Virtumonde.Jp
Avast Found Win32:Vundo-gen49
AVG Antivirus Found Generic2.HIX
BitDefender Found MemScan:Trojan.Vundo.DMG
ClamAV Found Trojan.Vundo-384
CPsecure Found AdWare.W32.Virtumonde.jp
Dr.Web Found Trojan.Virtumod
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.jp (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.jp
NOD32 Found Win32/Adware.Virtumonde application
Norman Virus Control Found W32/Virtumonde.HHZ
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found Trojan.DR.Agent.IPB
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\setup9x.exe
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Trj/Downloader.PMU
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\rm.exe
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Combofix Log

ComboFix 07-08-04.3 - "Windows User" 2007-08-05 14:59:00.9 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\BFU
C:\BFU\alcanshorty.bfu
C:\BFU\BFU.exe
C:\WINDOWS\SmFzbWluZSBUdXJuZXI
C:\WINDOWS\SYSTEM32\2842.bat
C:\WINDOWS\SYSTEM32\ddaby.dll.vir
C:\WINDOWS\SYSTEM32\LogFiles . . . . failed to delete
C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR\httperr1.log
C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR\httperr1.log . . . . failed to delete
C:\WINDOWS\SYSTEM32\n.bat
C:\WINDOWS\SYSTEM32\owahfbpp.dll
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\SYSTEM32\x.dat


((((((((((((((((((((((((( Files Created from 2007-07-05 to 2007-08-05 )))))))))))))))))))))))))))))))


2007-08-05 15:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-08-04 11:39 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-03 23:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 00:00 <DIR> d-------- C:\HJT
2007-08-02 23:34 3,046 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-02 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 21:32 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-08-02 20:38 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-08-02 20:33 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-08-02 20:33 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-08-02 20:33 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-08-02 20:33 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-08-02 20:33 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-08-02 20:33 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-08-02 20:31 <DIR> d-------- C:\Program Files\McAfee
2007-08-02 20:31 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-02 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-02 20:13 167 --a------ C:\DOCUME~1\User~1\6021.bat
2007-08-02 20:03 218,784 --a------ C:\WINDOWS\TrueInstall.exe
2007-08-02 20:02 167 --a------ C:\DOCUME~1\User~1\9781.bat
2007-08-02 19:53 167 --a------ C:\DOCUME~1\User~1\2578.bat
2007-08-02 18:18 32,768 --a------ C:\DOCUME~1\User~1\setup9x.exe
2007-08-02 18:18 167 --a------ C:\DOCUME~1\User~1\7178.bat
2007-08-02 01:21 <DIR> d-------- C:\VundoFix Backups
2007-08-01 21:07 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-08-01 21:04 <DIR> d-------- C:\KAV
2007-07-20 20:43 <DIR> d-------- C:\DOCUME~1\User~1\APPLIC~1\Flickr
2007-07-20 19:54 <DIR> d-------- C:\Program Files\Flickr Uploadr
2007-07-20 16:46 167 --a------ C:\DOCUME~1\User~1\9155.bat
2007-07-20 02:54 167 --a------ C:\DOCUME~1\User~1\3845.bat
2007-07-20 00:43 167 --a------ C:\DOCUME~1\User~1\4809.bat
2007-07-19 14:51 167 --a------ C:\DOCUME~1\User~1\6926.bat
2007-07-19 14:43 167 --a------ C:\DOCUME~1\User~1\5351.bat
2007-07-18 22:49 38,413 --a------ C:\WINDOWS\SYSTEM32\app.exe
2007-07-18 22:49 32,768 --a------ C:\WINDOWS\SYSTEM32\setup9x.exe
2007-07-18 22:49 11,972 --a------ C:\WINDOWS\SYSTEM32\rm.exe
2007-07-18 22:49 <DIR> d--hs---- C:\Program Files\outlook
2007-07-18 22:48 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 15:15 --------- d-------- C:\DOCUME~1\User~1\APPLIC~1\WeatherBug
2007-08-05 12:37 38644 --a------ C:\DOCUME~1\User~1\APPLIC~1\wklnhst.dat
2007-08-03 18:09 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 14:12 --------- d-------- C:\DOCUME~1\User~1\APPLIC~1\LimeWire
2007-08-02 20:32 --------- d-------- C:\Program Files\McAfee.com
2007-08-02 20:18 --------- d-------- C:\Program Files\Google
2007-08-02 19:57 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-02 19:57 --------- d-------- C:\DOCUME~1\User~1\APPLIC~1\AOL
2007-08-02 19:56 --------- d-------- C:\Program Files\Common Files\aolshare
2007-07-13 01:53 --------- d-------- C:\DOCUME~1\User~1\APPLIC~1\uTorrent
2007-07-02 17:55 --------- d-------- C:\DOCUME~1\User~1\APPLIC~1\Apple Computer
2007-06-15 10:47 278528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-06-11 22:53 --------- d-------- C:\Program Files\AIM6
2007-06-06 21:35 120680 --a------ C:\DOCUME~1\User~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 13:54 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37 740442 --a------ C:\WINDOWS\system32\DivX.dll


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


- Unable to find file version info. in file.

---- C:\WINDOWS\SYSTEM32\setup9x.exe ----

Company: w00t
File Description:
File Version: 1.00
Product Name: bbbb88888888887677
Copyright:
Original file name: installer.exe

- Not a PE file.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 15:37]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 15:19]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"IntelMeM "= "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 20:19]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 03:05]
"DwlClient "= "c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05]
"Microsoft Works Update Detection "= "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 18:55]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-04 11:41]

[HKEY_CURRENT_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent "= "C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"Weather "= "C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 16:02]
"Regscan "= "C:\WINDOWS\system32\regscan.exe" []

C:\Documents and Settings\User\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-12-06 00:01:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

[HKEY_CURRENT_User\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 WUSB54GCSVC;WUSB54GCSVC; "C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe "
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 RT73;Linksys Home Wireless-G USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt73.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys

*Newly Created Service* - GTNDIS5

Contents of the 'Scheduled Tasks' folder
2007-08-02 11:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2004-12-20 21:17:20 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
2007-08-03 00:32:47 C:\WINDOWS\Tasks\McDefragTask.job
2007-08-03 00:32:46 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
2007-08-05 07:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 15:13:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-05 15:18:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-05 15:17

--- E O F ---

 

Hi

OK please do this.


Download OTMoveIt by OldTimer to your Desktop.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created). Please post the contents of this log.

Please run combofix again and post the new log.

Thanks
Geri

 

I forgot to mention. Under Add/Remove programs, there was no SpywareBot, only Spybot. I was able to remove P2P and Limewire.


_OTMoveIt

Folder cleanup failed. C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR scheduled to be deleted on reboot.
Folder cleanup failed. C:\WINDOWS\SYSTEM32\LogFiles scheduled to be deleted on reboot.
File/Folder C:\DOCUME~1\User~1\6021.bat not found.
File/Folder C:\DOCUME~1\User~1\9781.bat not found.
File/Folder C:\DOCUME~1\User~1\2578.bat not found.
File/Folder C:\DOCUME~1\User~1\setup9x.exe not found.
File/Folder C:\DOCUME~1\User~1\7178.bat not found.
File/Folder C:\DOCUME~1\User~1\9155.bat not found.
File/Folder C:\DOCUME~1\User~1\3845.bat not found.
File/Folder C:\DOCUME~1\User~1\4809.bat not found.
File/Folder C:\DOCUME~1\User~1\6926.bat not found.
File/Folder C:\DOCUME~1\User~1\5351.bat not found.
C:\WINDOWS\SYSTEM32\app.exe moved successfully.
C:\WINDOWS\SYSTEM32\setup9x.exe moved successfully.

Created on 08/06/2007 00:32:34

ComboFix log

ComboFix 07-08-04.3 - "Windows User" 2007-08-06 0:39:35.10 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))


2007-08-05 15:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-08-04 11:39 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-03 23:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 00:00 <DIR> d-------- C:\HJT
2007-08-02 23:34 3,046 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-02 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 21:32 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-08-02 20:38 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-08-02 20:33 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-08-02 20:33 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-08-02 20:33 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-08-02 20:33 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-08-02 20:33 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-08-02 20:33 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-08-02 20:31 <DIR> d-------- C:\Program Files\McAfee
2007-08-02 20:31 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-02 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-02 20:13 167 --a------ C:\DOCUME~1\USER~1\6021.bat
2007-08-02 20:03 218,784 --a------ C:\WINDOWS\TrueInstall.exe
2007-08-02 20:02 167 --a------ C:\DOCUME~1\USER~1\9781.bat
2007-08-02 19:53 167 --a------ C:\DOCUME~1\USER~1\2578.bat
2007-08-02 18:18 32,768 --a------ C:\DOCUME~1\USER~1\setup9x.exe
2007-08-02 18:18 167 --a------ C:\DOCUME~1\USER~1\7178.bat
2007-08-02 01:21 <DIR> d-------- C:\VundoFix Backups
2007-08-01 21:07 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-08-01 21:04 <DIR> d-------- C:\KAV
2007-07-20 20:43 <DIR> d-------- C:\DOCUME~1\USER~1\APPLIC~1\Flickr
2007-07-20 19:54 <DIR> d-------- C:\Program Files\Flickr Uploadr
2007-07-20 16:46 167 --a------ C:\DOCUME~1\USER~1\9155.bat
2007-07-20 02:54 167 --a------ C:\DOCUME~1\USER~1\3845.bat
2007-07-20 00:43 167 --a------ C:\DOCUME~1\USER~1\4809.bat
2007-07-19 14:51 167 --a------ C:\DOCUME~1\USER~1\6926.bat
2007-07-19 14:43 167 --a------ C:\DOCUME~1\USER~1\5351.bat
2007-07-18 22:49 11,972 --a------ C:\WINDOWS\SYSTEM32\rm.exe
2007-07-18 22:49 <DIR> d--hs---- C:\Program Files\outlook
2007-07-18 22:48 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 19:24 38644 --a------ C:\DOCUME~1\USER~1\APPLIC~1\wklnhst.dat
2007-08-05 15:15 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\WeatherBug
2007-08-03 18:09 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 14:12 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\LimeWire
2007-08-02 20:32 --------- d-------- C:\Program Files\McAfee.com
2007-08-02 20:18 --------- d-------- C:\Program Files\Google
2007-08-02 19:57 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-02 19:57 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\AOL
2007-08-02 19:56 --------- d-------- C:\Program Files\Common Files\aolshare
2007-07-13 01:53 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\uTorrent
2007-07-02 17:55 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\Apple Computer
2007-06-15 10:47 278528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-06-11 22:53 --------- d-------- C:\Program Files\AIM6
2007-06-06 21:35 120680 --a------ C:\DOCUME~1\USER~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 13:54 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37 740442 --a------ C:\WINDOWS\system32\DivX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 15:37]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 15:19]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"IntelMeM "= "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 20:19]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 03:05]
"DwlClient "= "c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05]
"Microsoft Works Update Detection "= "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 18:55]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-04 11:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent "= "C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"Weather "= "C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 16:02]
"Regscan "= "C:\WINDOWS\system32\regscan.exe" []

C:\Documents and Settings\User\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-12-06 00:01:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 WUSB54GCSVC;WUSB54GCSVC; "C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe "
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 RT73;Linksys Home Wireless-G USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt73.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys

*Newly Created Service* - GTNDIS5

Contents of the 'Scheduled Tasks' folder
2007-08-02 11:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2004-12-20 21:17:20 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
2007-08-03 00:32:47 C:\WINDOWS\Tasks\McDefragTask.job
2007-08-03 00:32:46 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
2007-08-05 07:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 00:46:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-06 0:49:43
C:\ComboFix-quarantined-files.txt ... 2007-08-06 00:48
C:\ComboFix2.txt ... 2007-08-05 15:18

--- E O F ---

 

Hi
OK lets try this one more time with Combofix. If that don't work we'll try a different tool.

Please copy and paste everything in the quote box below, to a blank NotePad save it to your desktop as CFScript.txt and file type as “All Files”

Now go to your desktop and Drag and Drop the CFScript.txt into ComboFix. Combofix will start and run.

After it has finished
Please post the new combofix log.

Thanks
Geri

 

ComboFix 07-08-04.3 - "Windows User" 2007-08-06 21:41:39.11 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Windows User\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\SYSTEM32\LogFiles
C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR\httperr1.log


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-04 11:39 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-03 23:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 00:00 <DIR> d-------- C:\HJT
2007-08-02 23:34 3,046 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-02 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 21:32 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-08-02 20:38 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-08-02 20:33 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-08-02 20:33 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-08-02 20:33 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-08-02 20:33 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-08-02 20:33 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-08-02 20:33 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-08-02 20:31 <DIR> d-------- C:\Program Files\McAfee
2007-08-02 20:31 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-02 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-02 20:13 167 --a------ C:\DOCUME~1\USER~1\6021.bat
2007-08-02 20:03 218,784 --a------ C:\WINDOWS\TrueInstall.exe
2007-08-02 20:02 167 --a------ C:\DOCUME~1\USER~1\9781.bat
2007-08-02 19:53 167 --a------ C:\DOCUME~1\USER~1\2578.bat
2007-08-02 18:18 32,768 --a------ C:\DOCUME~1\USER~1\setup9x.exe
2007-08-02 18:18 167 --a------ C:\DOCUME~1\USER~1\7178.bat
2007-08-02 01:21 <DIR> d-------- C:\VundoFix Backups
2007-08-01 21:07 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-08-01 21:04 <DIR> d-------- C:\KAV
2007-07-20 20:43 <DIR> d-------- C:\DOCUME~1\USER~1\APPLIC~1\Flickr
2007-07-20 19:54 <DIR> d-------- C:\Program Files\Flickr Uploadr
2007-07-20 16:46 167 --a------ C:\DOCUME~1\USER~1\9155.bat
2007-07-20 02:54 167 --a------ C:\DOCUME~1\USER~1\3845.bat
2007-07-20 00:43 167 --a------ C:\DOCUME~1\USER~1\4809.bat
2007-07-19 14:51 167 --a------ C:\DOCUME~1\USER~1\6926.bat
2007-07-19 14:43 167 --a------ C:\DOCUME~1\USER~1\5351.bat
2007-07-18 22:49 11,972 --a------ C:\WINDOWS\SYSTEM32\rm.exe
2007-07-18 22:49 <DIR> d--hs---- C:\Program Files\outlook
2007-07-18 22:48 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 19:24 38644 --a------ C:\DOCUME~1\USER~1\APPLIC~1\wklnhst.dat
2007-08-05 15:15 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\WeatherBug
2007-08-03 18:09 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-02 20:32 --------- d-------- C:\Program Files\McAfee.com
2007-08-02 20:18 --------- d-------- C:\Program Files\Google
2007-08-02 19:57 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-02 19:57 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\AOL
2007-08-02 19:56 --------- d-------- C:\Program Files\Common Files\aolshare
2007-07-13 01:53 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\uTorrent
2007-07-02 17:55 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\Apple Computer
2007-06-15 10:47 278528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-06-11 22:53 --------- d-------- C:\Program Files\AIM6
2007-06-06 21:35 120680 --a------ C:\DOCUME~1\ ~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 13:54 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37 740442 --a------ C:\WINDOWS\system32\DivX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 15:37]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 15:19]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"IntelMeM "= "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 20:19]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 03:05]
"DwlClient "= "c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05]
"Microsoft Works Update Detection "= "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 18:55]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-04 11:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent "= "C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"Weather "= "C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 16:02]
"Regscan "= "C:\WINDOWS\system32\regscan.exe" []

C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-12-06 00:01:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 WUSB54GCSVC;WUSB54GCSVC; "C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe "
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 RT73;Linksys Home Wireless-G USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt73.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys

*Newly Created Service* - GTNDIS5

Contents of the 'Scheduled Tasks' folder
2007-08-02 11:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2004-12-20 21:17:20 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
2007-08-03 00:32:47 C:\WINDOWS\Tasks\McDefragTask.job
2007-08-03 00:32:46 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
2007-08-06 07:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe

 

Hi
Well darn, It's not often that combofix can't get rid of something

Lets try Killbox.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\DOCUME~1\USER~1\6021.bat
  C:\DOCUME~1\USER~1\9781.bat
  C:\DOCUME~1\USER~1\2578.bat
  C:\DOCUME~1\USER~1\setup9x.exe
  C:\DOCUME~1\USER~1\7178.bat
  C:\DOCUME~1\USER~1\9155.bat
  C:\DOCUME~1\USER~1\3845.bat
  C:\DOCUME~1\USER~1\4809.bat
  C:\DOCUME~1\USER~1\6926.bat
  C:\DOCUME~1\USER~1\5351.bat
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Let me know if you get any messages from KillBox.
Then please run combofix normally (without adding the CFScript) and post the log.

Thanks
Geri

 

Sorry for the late post...I have been extremely busy for the past few days with a number of things...things should be letting up soon, but I'm afraid that my posts might be a bit infrequent for a while. Nevertheless, I did as you instructed. There weren't any pop-ups or messages from Killbox.



ComboFix 07-08-04.3 - "Windows User" 2007-08-08 21:25:01.13 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-08 02:54 <DIR> d-------- C:\!KillBox
2007-08-07 14:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Incomplete
2007-08-06 22:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-08-04 11:39 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-03 23:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 00:00 <DIR> d-------- C:\HJT
2007-08-02 23:34 3,046 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-02 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 21:32 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-08-02 20:38 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-08-02 20:33 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-08-02 20:33 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-08-02 20:33 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-08-02 20:33 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-08-02 20:33 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-08-02 20:33 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-08-02 20:31 <DIR> d-------- C:\Program Files\McAfee
2007-08-02 20:31 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-02 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-02 20:03 218,784 --a------ C:\WINDOWS\TrueInstall.exe
2007-08-02 01:21 <DIR> d-------- C:\VundoFix Backups
2007-08-01 21:07 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-08-01 21:04 <DIR> d-------- C:\KAV
2007-07-20 20:43 <DIR> d-------- C:\DOCUME~1\USER~1\APPLIC~1\Flickr
2007-07-20 19:54 <DIR> d-------- C:\Program Files\Flickr Uploadr
2007-07-18 22:49 11,972 --a------ C:\WINDOWS\SYSTEM32\rm.exe
2007-07-18 22:49 <DIR> d--hs---- C:\Program Files\outlook
2007-07-18 22:48 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 03:02 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\WeatherBug
2007-08-07 22:00 38656 --a------ C:\DOCUME~1\USER~1\APPLIC~1\wklnhst.dat
2007-08-03 18:09 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-02 20:32 --------- d-------- C:\Program Files\McAfee.com
2007-08-02 20:18 --------- d-------- C:\Program Files\Google
2007-08-02 19:57 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-02 19:57 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\AOL
2007-08-02 19:56 --------- d-------- C:\Program Files\Common Files\aolshare
2007-07-13 01:53 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\uTorrent
2007-07-02 17:55 --------- d-------- C:\DOCUME~1\USER~1\APPLIC~1\Apple Computer
2007-06-15 10:47 278528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-06-11 22:53 --------- d-------- C:\Program Files\AIM6
2007-06-06 21:35 120680 --a------ C:\DOCUME~1\USER~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 13:54 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37 740442 --a------ C:\WINDOWS\system32\DivX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 15:37]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 15:19]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"IntelMeM "= "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 20:19]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 03:05]
"DwlClient "= "c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05]
"Microsoft Works Update Detection "= "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 18:55]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-04 11:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent "= "C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"Weather "= "C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 16:02]
"Regscan "= "C:\WINDOWS\system32\regscan.exe" []

C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-12-06 00:01:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 WUSB54GCSVC;WUSB54GCSVC; "C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe "
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 RT73;Linksys Home Wireless-G USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt73.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys

*Newly Created Service* - GTNDIS5

Contents of the 'Scheduled Tasks' folder
2007-08-02 11:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2004-12-20 21:17:20 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
2007-08-03 00:32:47 C:\WINDOWS\Tasks\McDefragTask.job
2007-08-03 00:32:46 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
2007-08-07 07:00:02 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 21:30:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 21:34:22
C:\ComboFix-quarantined-files.txt ... 2007-08-08 21:33
C:\ComboFix2.txt ... 2007-08-08 03:18
C:\ComboFix3.txt ... 2007-08-06 00:49

--- E O F ---